24525860 upgrade OpenSSH to 7.3p1
24320031 problem in UTILITY/OPENSSH
24461706 problem in UTILITY/OPENSSH
24752716 Eliminate hard-to-maintain manpages section-number patch in openssh 11.3SRU
15366793 sshd calls pam_authenticate() for none method if PermitEmptyPasswords=yes
24597931 PAM_BUGFIX by-passes fake password for timing attack avoidance
23223069 problem in UTILITY/OPENSSH
24923674 problem in UTILITY/OPENSSH
23577308 OpenSSH Makefile: -DWITHOUT_ED25519 left behind
23140756 openssh passes bad option to configure (--with-tcp-wrappers)
24301902 Log connections dropped when exceeding MaxStartups
--- a/components/openssh/Makefile Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/Makefile Wed Nov 16 12:17:49 2016 -0800
@@ -26,22 +26,22 @@
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= openssh
-COMPONENT_VERSION= 7.2p2
+COMPONENT_VERSION= 7.3p1
HUMAN_VERSION= $(COMPONENT_VERSION)
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
# Version for IPS. The encoding rules are:
# OpenSSH <x>.<y>p<n> => IPS <x>.<y>.0.<n>
# OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION= 7.2.0.2
+IPS_COMPONENT_VERSION= 7.3.0.1
COMPONENT_PROJECT_URL= http://www.openssh.org/
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH= sha256:a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
+COMPONENT_ARCHIVE_HASH= sha256:3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
COMPONENT_ARCHIVE_URL= http://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB=utility/openssh
-TPNO_OPENSSH= 27414
+TPNO_OPENSSH= 30602
TPNO_GSSKEX= 20377
include $(WS_MAKE_RULES)/prep.mk
@@ -58,9 +58,8 @@
CFLAGS += -DPAM_ENHANCEMENT
CFLAGS += -DPAM_BUGFIX
CFLAGS += -DOPTION_DEFAULT_VALUE
-CFLAGS += -DWITHOUT_ED25519
CFLAGS += -DPER_SESSION_XAUTHFILE
-CFLAGS += -DWITHOUT_CAST128
+CFLAGS += -DOPENSSL_NO_CAST
CFLAGS += -DENABLE_OPENSSL_FIPS
CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)"
@@ -82,7 +81,6 @@
CONFIGURE_OPTIONS += --with-pam
CONFIGURE_OPTIONS += --with-sandbox=no
CONFIGURE_OPTIONS += --with-solaris-contracts
-CONFIGURE_OPTIONS += --with-tcp-wrappers
CONFIGURE_OPTIONS += --with-4in6
CONFIGURE_OPTIONS += --with-xauth=$(USRBINDIR)/xauth
CONFIGURE_OPTIONS += --disable-strip
@@ -93,12 +91,19 @@
CONFIGURE_OPTIONS += --bindir=$(USRBINDIR)
CONFIGURE_OPTIONS += --disable-lastlog
-# Copy Solaris specific source files and generate configuration script
-COMPONENT_PREP_ACTION += \
- ( $(CP) sources/*.c $(@D)/; \
- cd $(@D); autoconf; \
- )
+MANLIST= moduli.5 scp.1 sftp-server.8 sftp.1 ssh-add.1 ssh-agent.1 \
+ ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8 \
+ ssh.1 ssh_config.5 sshd.8 sshd_config.5
+# To avoid complexity with updates, after patching for specific code-related
+# issues, auto-edit the man pages to meet Solaris legacy standards for
+# man page organization.
+# Then copy Solaris specific source files and generate configuration script
+COMPONENT_PREP_ACTION += ( \
+ files/convert-man $(SOURCE_DIR) $(MANLIST); \
+ $(CP) sources/*.c $(@D)/; \
+ cd $(@D); autoconf; \
+ )
# common targets
configure: $(CONFIGURE_32)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/files/convert-man Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+# Each time upstream puts in new features, man pages change, and more
+# additional changes of our own go into man page patches. This causes patch to
+# fail, requiring it to be re-hand-created. This program will fix the
+# man page section numbers at gmake prep time, after all other changes
+# and patches are applied.
+
+export SOURCE_DIR
+SOURCE_DIR=$1
+shift
+
+#set -x
+#echo $1
+
+for i in $* ; do
+ echo $SOURCE_DIR/$i
+ cat $SOURCE_DIR/$i | \
+ sed '
+ s/ssh_config 5/ssh_config 4/g
+ s/moduli 5/moduli 4/g
+ s/sshd_config 5/sshd_config 4/g
+ s/ssh-keysign 8/ssh-keysign 1M/g
+ s/sftp-server 8/sftp-server 1M/g
+ s/ssh-pkcs11-helper 8/ssh-pkcs11-helper 1M/g
+ s/sshd 8/sshd 1M/g' > /tmp/$i.sed
+ cp /tmp/$i.sed $SOURCE_DIR/$i
+ rm /tmp/$i.sed
+done
+
--- a/components/openssh/openssh.p5m Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/openssh.p5m Wed Nov 16 12:17:49 2016 -0800
@@ -36,6 +36,8 @@
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
set name=org.opensolaris.arc-caseid value=PSARC/2012/335
set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file sources/sshd-none path=etc/pam.d/sshd-none group=sys mode=0644 \
+ overlay=allow preserve=renamenew
link path=usr/bin/scp target=../lib/openssh/bin/scp mediator=ssh \
mediator-implementation=openssh
link path=usr/bin/sftp target=../lib/openssh/bin/sftp mediator=ssh \
--- a/components/openssh/patches/003-last_login.patch Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/003-last_login.patch Wed Nov 16 12:17:49 2016 -0800
@@ -18,24 +18,24 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -1308,8 +1308,8 @@ Specifies whether
+@@ -1300,8 +1300,8 @@ Specifies whether
.Xr sshd 8
should print the date and time of the last user login when a user logs
in interactively.
-The default is
-.Dq yes .
-+On Solaris this option is always ignored since pam_unix_session(5)
++On Solaris this option is always ignored since pam_unix_session(7)
+reports the last login time.
.It Cm PrintMotd
Specifies whether
.Xr sshd 8
-@@ -1735,7 +1735,8 @@ This file should be writable by root onl
+@@ -1721,7 +1721,8 @@ This file should be writable by root onl
(though not necessary) that it be world-readable.
.El
.Sh SEE ALSO
-.Xr sshd 8
+.Xr sshd 8 ,
-+.Xr pam_unix_session 5
++.Xr pam_unix_session 7
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.
--- a/components/openssh/patches/007-manpages.patch Wed Nov 16 12:04:24 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,789 +0,0 @@
-# This change is Solaris-specific and thus is not being contributed back
-# to the upstream community. Details:
-#
-# OpenSSH uses the BSD/Linux man page scheme which is different from the SysV
-# man page scheme used in Solaris. In order to comply to the Solaris man page
-# policy and also use the IPS mediator to switch between SunSSH and OpenSSH man
-# pages, the section numbers of some OpenSSH man pages are changed to be the
-# same as their corresponding ones in SunSSH.
-#
-
-diff -rupN old/moduli.5 new/moduli.5
---- old/moduli.5 2015-12-08 21:19:59.482474430 -0800
-+++ new/moduli.5 2015-12-08 21:15:53.128029200 -0800
-@@ -14,7 +14,7 @@
- .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- .Dd $Mdocdate: September 26 2012 $
--.Dt MODULI 5
-+.Dt MODULI 4
- .Os
- .Sh NAME
- .Nm moduli
-@@ -23,7 +23,7 @@
- The
- .Pa /etc/moduli
- file contains prime numbers and generators for use by
--.Xr sshd 8
-+.Xr sshd 1M
- in the Diffie-Hellman Group Exchange key exchange method.
- .Pp
- New moduli may be generated with
-@@ -40,7 +40,7 @@ pass, using
- .Ic ssh-keygen -T ,
- provides a high degree of assurance that the numbers are prime and are
- safe for use in Diffie-Hellman operations by
--.Xr sshd 8 .
-+.Xr sshd 1M .
- This
- .Nm
- format is used as the output from each pass.
-@@ -70,7 +70,7 @@ are Sophie Germain primes (type 4).
- Further primality testing with
- .Xr ssh-keygen 1
- produces safe prime moduli (type 2) that are ready for use in
--.Xr sshd 8 .
-+.Xr sshd 1M .
- Other types are not used by OpenSSH.
- .It tests
- Decimal number indicating the type of primality tests that the number
-@@ -105,16 +105,16 @@ The modulus itself in hexadecimal.
- .El
- .Pp
- When performing Diffie-Hellman Group Exchange,
--.Xr sshd 8
-+.Xr sshd 1M
- first estimates the size of the modulus required to produce enough
- Diffie-Hellman output to sufficiently key the selected symmetric cipher.
--.Xr sshd 8
-+.Xr sshd 1M
- then randomly selects a modulus from
- .Fa /etc/moduli
- that best meets the size requirement.
- .Sh SEE ALSO
- .Xr ssh-keygen 1 ,
--.Xr sshd 8
-+.Xr sshd 1M
- .Sh STANDARDS
- .Rs
- .%A M. Friedl
-diff -rupN old/sftp-server.8 new/sftp-server.8
---- old/sftp-server.8 2015-12-08 21:04:19.872169630 -0800
-+++ new/sftp-server.8 2015-12-08 21:36:18.267186200 -0800
-@@ -23,7 +23,7 @@
- .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- .\"
- .Dd $Mdocdate: December 11 2014 $
--.Dt SFTP-SERVER 8
-+.Dt SFTP-SERVER 1M
- .Os
- .Sh NAME
- .Nm sftp-server
-@@ -47,7 +47,7 @@ is a program that speaks the server side
- to stdout and expects client requests from stdin.
- .Nm
- is not intended to be called directly, but from
--.Xr sshd 8
-+.Xr sshd 1M
- using the
- .Cm Subsystem
- option.
-@@ -58,7 +58,7 @@ should be specified in the
- .Cm Subsystem
- declaration.
- See
--.Xr sshd_config 5
-+.Xr sshd_config 4
- for more information.
- .Pp
- Valid options are:
-@@ -71,7 +71,7 @@ The pathname may contain the following t
- and %u is replaced by the username of that user.
- The default is to use the user's home directory.
- This option is useful in conjunction with the
--.Xr sshd_config 5
-+.Xr sshd_config 4
- .Cm ChrootDirectory
- option.
- .It Fl e
-@@ -147,13 +147,13 @@ must be able to access
- for logging to work, and use of
- .Nm
- in a chroot configuration therefore requires that
--.Xr syslogd 8
-+.Xr syslogd 1M
- establish a logging socket inside the chroot directory.
- .Sh SEE ALSO
- .Xr sftp 1 ,
- .Xr ssh 1 ,
--.Xr sshd_config 5 ,
--.Xr sshd 8
-+.Xr sshd_config 4 ,
-+.Xr sshd 1M
- .Rs
- .%A T. Ylonen
- .%A S. Lehtinen
-diff -rupN old/ssh-keysign.8 new/ssh-keysign.8
---- old/ssh-keysign.8 2015-12-08 21:20:45.638888550 -0800
-+++ new/ssh-keysign.8 2015-12-08 21:15:29.266139300 -0800
-@@ -23,7 +23,7 @@
- .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- .\"
- .Dd $Mdocdate: February 17 2016 $
--.Dt SSH-KEYSIGN 8
-+.Dt SSH-KEYSIGN 1M
- .Os
- .Sh NAME
- .Nm ssh-keysign
-@@ -52,7 +52,7 @@ is not intended to be invoked by the use
- See
- .Xr ssh 1
- and
--.Xr sshd 8
-+.Xr sshd 1M
- for more information about host-based authentication.
- .Sh FILES
- .Bl -tag -width Ds -compact
-@@ -83,8 +83,8 @@ information corresponding with the priva
- .Sh SEE ALSO
- .Xr ssh 1 ,
- .Xr ssh-keygen 1 ,
--.Xr ssh_config 5 ,
--.Xr sshd 8
-+.Xr ssh_config 4 ,
-+.Xr sshd 1M
- .Sh HISTORY
- .Nm
- first appeared in
-diff -rupN old/ssh-pkcs11-helper.8 new/ssh-pkcs11-helper.8
---- old/ssh-pkcs11-helper.8 2015-12-08 21:18:49.511938140 -0800
-+++ new/ssh-pkcs11-helper.8 2015-12-08 21:16:10.866823750 -0800
-@@ -15,7 +15,7 @@
- .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- .\"
- .Dd $Mdocdate: July 16 2013 $
--.Dt SSH-PKCS11-HELPER 8
-+.Dt SSH-PKCS11-HELPER 1M
- .Os
- .Sh NAME
- .Nm ssh-pkcs11-helper
---- old/sshd_config.5 2016-05-11 04:08:25.946753581 -0700
-+++ new/sshd_config.5 2016-05-11 04:20:10.025546205 -0700
-@@ -35,7 +35,7 @@
- .\"
- .\" $OpenBSD: sshd_config.5,v 1.220 2016/02/17 08:57:34 djm Exp $
- .Dd $Mdocdate: February 17 2016 $
--.Dt SSHD_CONFIG 5
-+.Dt SSHD_CONFIG 4
- .Os
- .Sh NAME
- .Nm sshd_config
-@@ -43,7 +43,7 @@
- .Sh SYNOPSIS
- .Nm /etc/ssh/sshd_config
- .Sh DESCRIPTION
--.Xr sshd 8
-+.Xr sshd 1M
- reads configuration data from
- .Pa /etc/ssh/sshd_config
- (or the file specified with
-@@ -68,7 +68,7 @@
- See
- .Cm SendEnv
- in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for how to configure the client.
- The
- .Ev TERM
-@@ -88,7 +88,7 @@
- The default is not to accept any environment variables.
- .It Cm AddressFamily
- Specifies which address family should be used by
--.Xr sshd 8 .
-+.Xr sshd 1M .
- Valid arguments are
- .Dq any ,
- .Dq inet
-@@ -121,7 +121,7 @@
- .Cm AllowGroups .
- .Pp
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .It Cm AllowTcpForwarding
- Specifies whether TCP forwarding is permitted.
-@@ -181,7 +181,7 @@
- .Cm AllowGroups .
- .Pp
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .It Cm AuthenticationMethods
- Specifies the authentication methods that must be successfully completed
-@@ -216,7 +216,7 @@
- If the
- .Dq publickey
- method is listed more than once,
--.Xr sshd 8
-+.Xr sshd 1M
- verifies that keys that have been used successfully are not reused for
- subsequent authentications.
- For example, an
-@@ -249,7 +249,7 @@
- .Pp
- The program should produce on standard output zero or
- more lines of authorized_keys output (see AUTHORIZED_KEYS in
--.Xr sshd 8 ) .
-+.Xr sshd 1M ) .
- If a key supplied by AuthorizedKeysCommand does not successfully authenticate
- and authorize the user then public key authentication continues using the usual
- .Cm AuthorizedKeysFile
-@@ -264,7 +264,7 @@
- is specified but
- .Cm AuthorizedKeysCommandUser
- is not, then
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse to start.
- .It Cm AuthorizedKeysFile
- Specifies the file that contains the public keys that can be used
-@@ -272,7 +272,7 @@
- The format is described in the
- AUTHORIZED_KEYS FILE FORMAT
- section of
--.Xr sshd 8 .
-+.Xr sshd 1M .
- .Cm AuthorizedKeysFile
- may contain tokens of the form %T which are substituted during connection
- setup.
-@@ -323,7 +323,7 @@
- is specified but
- .Cm AuthorizedPrincipalsCommandUser
- is not, then
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse to start.
- .It Cm AuthorizedPrincipalsFile
- Specifies a file that lists principal names that are accepted for
-@@ -334,7 +334,7 @@
- to be accepted for authentication.
- Names are listed one per line preceded by key options (as described
- in AUTHORIZED_KEYS FILE FORMAT in
--.Xr sshd 8 ) .
-+.Xr sshd 1M ) .
- Empty lines and comments starting with
- .Ql #
- are ignored.
-@@ -364,7 +364,7 @@
- though the
- .Cm principals=
- key option offers a similar facility (see
--.Xr sshd 8
-+.Xr sshd 1M
- for details).
- .It Cm Banner
- The contents of the specified file are sent to the remote user before
-@@ -384,11 +384,11 @@
- .Xr chroot 2
- to after authentication.
- At session startup
--.Xr sshd 8
-+.Xr sshd 1M
- checks that all components of the pathname are root-owned directories
- which are not writable by any other user or group.
- After the chroot,
--.Xr sshd 8
-+.Xr sshd 1M
- changes the working directory to the user's home directory.
- .Pp
- The pathname may contain the following tokens that are expanded at runtime once
-@@ -420,14 +420,14 @@
- though sessions which use logging may require
- .Pa /dev/log
- inside the chroot directory on some operating systems (see
--.Xr sftp-server 8
-+.Xr sftp-server 1M
- for details).
- .Pp
- For safety, it is very important that the directory hierarchy be
- prevented from modification by other processes on the system (especially
- those outside the jail).
- Misconfiguration can lead to unsafe environments which
--.Xr sshd 8
-+.Xr sshd 1M
- cannot detect.
- .Pp
- The default is
-@@ -493,7 +493,7 @@
- .It Cm ClientAliveCountMax
- Sets the number of client alive messages (see below) which may be
- sent without
--.Xr sshd 8
-+.Xr sshd 1M
- receiving any messages back from the client.
- If this threshold is reached while client alive messages are being sent,
- sshd will disconnect the client, terminating the session.
-@@ -519,7 +519,7 @@
- .It Cm ClientAliveInterval
- Sets a timeout interval in seconds after which if no data has been received
- from the client,
--.Xr sshd 8
-+.Xr sshd 1M
- will send a message through the encrypted
- channel to request a response from the client.
- The default
-@@ -549,7 +549,7 @@
- .Cm AllowGroups .
- .Pp
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .It Cm DenyUsers
- This keyword can be followed by a list of user name patterns, separated
-@@ -568,7 +568,7 @@
- .Cm AllowGroups .
- .Pp
- See PATTERNS in
--.Xr ssh_config 5
-+.Xr ssh_config 4
- for more information on patterns.
- .It Cm FingerprintHash
- Specifies the hash algorithm used when logging key fingerprints.
-@@ -603,7 +603,7 @@
- Specifies whether remote hosts are allowed to connect to ports
- forwarded for the client.
- By default,
--.Xr sshd 8
-+.Xr sshd 1M
- binds remote port forwardings to the loopback address.
- This prevents other remote hosts from connecting to forwarded ports.
- .Cm GatewayPorts
-@@ -684,7 +684,7 @@
- A setting of
- .Dq yes
- means that
--.Xr sshd 8
-+.Xr sshd 1M
- uses the name supplied by the client rather than
- attempting to resolve the name from the TCP connection itself.
- The default is
-@@ -695,7 +695,7 @@
- by
- .Cm HostKey .
- The default behaviour of
--.Xr sshd 8
-+.Xr sshd 1M
- is not to load any certificates.
- .It Cm HostKey
- Specifies a file containing a private host key
-@@ -711,12 +711,12 @@
- for protocol version 2.
- .Pp
- Note that
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse to use a file if it is group/world-accessible
- and that the
- .Cm HostKeyAlgorithms
- option restricts which of the keys are actually used by
--.Xr sshd 8 .
-+.Xr sshd 1M .
- .Pp
- It is possible to have multiple host key files.
- .Dq rsa1
-@@ -777,7 +777,7 @@
- .Dq yes .
- .It Cm IgnoreUserKnownHosts
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should ignore the user's
- .Pa ~/.ssh/known_hosts
- during
-@@ -912,7 +912,7 @@
- The default is 3600 (seconds).
- .It Cm ListenAddress
- Specifies the local addresses
--.Xr sshd 8
-+.Xr sshd 1M
- should listen on.
- The following forms may be used:
- .Pp
-@@ -952,7 +952,7 @@
- The default is 120 seconds.
- .It Cm LogLevel
- Gives the verbosity level that is used when logging messages from
--.Xr sshd 8 .
-+.Xr sshd 1M .
- The possible values are:
- QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
- The default is INFO.
-@@ -1057,7 +1057,7 @@
- The match patterns may consist of single entries or comma-separated
- lists and may use the wildcard and negation operators described in the
- PATTERNS section of
--.Xr ssh_config 5 .
-+.Xr ssh_config 4 .
- .Pp
- The patterns in an
- .Cm Address
-@@ -1156,7 +1156,7 @@
- the three colon separated values
- .Dq start:rate:full
- (e.g. "10:30:60").
--.Xr sshd 8
-+.Xr sshd 1M
- will refuse connection attempts with a probability of
- .Dq rate/100
- (30%)
-@@ -1276,7 +1276,7 @@
- options in
- .Pa ~/.ssh/authorized_keys
- are processed by
--.Xr sshd 8 .
-+.Xr sshd 1M .
- The default is
- .Dq no .
- Enabling environment processing may enable users to bypass access
-@@ -1297,7 +1297,7 @@
- .Pa /var/run/sshd.pid .
- .It Cm Port
- Specifies the port number that
--.Xr sshd 8
-+.Xr sshd 1M
- listens on.
- The default is 22.
- Multiple options of this type are permitted.
-@@ -1305,14 +1305,14 @@
- .Cm ListenAddress .
- .It Cm PrintLastLog
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should print the date and time of the last user login when a user logs
- in interactively.
- On Solaris this option is always ignored since pam_unix_session(5)
- reports the last login time.
- .It Cm PrintMotd
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should print
- .Pa /etc/motd
- when a user logs in interactively.
-@@ -1323,7 +1323,7 @@
- .Dq yes .
- .It Cm Protocol
- Specifies the protocol versions
--.Xr sshd 8
-+.Xr sshd 1M
- supports.
- The possible values are
- .Sq 1
-@@ -1450,7 +1450,7 @@
- .Dq no .
- .It Cm StrictModes
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should check file modes and ownership of the
- user's files and home directory before accepting login.
- This is normally desirable because novices sometimes accidentally leave their
-@@ -1466,7 +1466,7 @@
- to execute upon subsystem request.
- .Pp
- The command
--.Xr sftp-server 8
-+.Xr sftp-server 1M
- implements the
- .Dq sftp
- file transfer subsystem.
-@@ -1483,7 +1483,7 @@
- By default no subsystems are defined.
- .It Cm SyslogFacility
- Gives the facility code that is used when logging messages from
--.Xr sshd 8 .
-+.Xr sshd 1M .
- The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
- LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
- The default is AUTH.
-@@ -1526,7 +1526,7 @@
- .Xr ssh-keygen 1 .
- .It Cm UseDNS
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should look up the remote host name, and to check that
- the resolved host name for the remote IP address maps back to the
- very same IP address.
-@@ -1580,13 +1580,13 @@
- If
- .Cm UsePAM
- is enabled, you will not be able to run
--.Xr sshd 8
-+.Xr sshd 1M
- as a non-root user.
- The default is
- .Dq no .
- .It Cm UsePrivilegeSeparation
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- separates privileges by creating an unprivileged child process
- to deal with incoming network traffic.
- After successful authentication, another process will be created that has
-@@ -1613,7 +1613,7 @@
- .Dq none .
- .It Cm X11DisplayOffset
- Specifies the first display number available for
--.Xr sshd 8 Ns 's
-+.Xr sshd 1M Ns 's
- X11 forwarding.
- This prevents sshd from interfering with real X11 servers.
- The default is 10.
-@@ -1628,7 +1628,7 @@
- .Pp
- When X11 forwarding is enabled, there may be additional exposure to
- the server and to client displays if the
--.Xr sshd 8
-+.Xr sshd 1M
- proxy display is configured to listen on the wildcard address (see
- .Cm X11UseLocalhost
- below), though this is not the default.
-@@ -1639,7 +1639,7 @@
- forwarding (see the warnings for
- .Cm ForwardX11
- in
--.Xr ssh_config 5 ) .
-+.Xr ssh_config 4 ) .
- A system administrator may have a stance in which they want to
- protect clients that may expose themselves to attack by unwittingly
- requesting X11 forwarding, which can warrant a
-@@ -1653,7 +1653,7 @@
- is enabled.
- .It Cm X11UseLocalhost
- Specifies whether
--.Xr sshd 8
-+.Xr sshd 1M
- should bind the X11 forwarding server to the loopback address or to
- the wildcard address.
- By default,
-@@ -1686,7 +1686,7 @@
- .Pa /usr/X11R6/bin/xauth .
- .El
- .Sh TIME FORMATS
--.Xr sshd 8
-+.Xr sshd 1M
- command-line arguments and configuration file options that specify time
- may be expressed using a sequence of the form:
- .Sm off
-@@ -1730,12 +1730,12 @@
- .Bl -tag -width Ds
- .It Pa /etc/ssh/sshd_config
- Contains configuration data for
--.Xr sshd 8 .
-+.Xr sshd 1M .
- This file should be writable by root only, but it is recommended
- (though not necessary) that it be world-readable.
- .El
- .Sh SEE ALSO
--.Xr sshd 8 ,
-+.Xr sshd 1M ,
- .Xr pam_unix_session 5
- .Sh AUTHORS
- OpenSSH is a derivative of the original and free
---- old/ssh_config.5 2016-03-09 10:04:48.000000000 -0800
-+++ new/ssh_config.5 2016-05-11 04:27:03.379064284 -0700
-@@ -35,7 +35,7 @@
- .\"
- .\" $OpenBSD: ssh_config.5,v 1.228 2016/02/20 23:01:46 sobrado Exp $
- .Dd $Mdocdate: February 20 2016 $
--.Dt SSH_CONFIG 5
-+.Dt SSH_CONFIG 4
- .Os
- .Sh NAME
- .Nm ssh_config
-@@ -639,7 +639,7 @@
- .Dq Fl O No exit
- option).
- If set to a time in seconds, or a time in any of the formats documented in
--.Xr sshd_config 5 ,
-+.Xr sshd_config 4 ,
- then the backgrounded master connection will automatically terminate
- after it has remained idle (with no client connections) for the
- specified time.
-@@ -681,7 +681,7 @@
- in the global client configuration file
- .Pa /etc/ssh/ssh_config
- enables the use of the helper program
--.Xr ssh-keysign 8
-+.Xr ssh-keysign 1M
- during
- .Cm HostbasedAuthentication .
- The argument must be
-@@ -692,7 +692,7 @@
- .Dq no .
- This option should be placed in the non-hostspecific section.
- See
--.Xr ssh-keysign 8
-+.Xr ssh-keysign 1M
- for more information.
- .It Cm EscapeChar
- Sets the escape character (default:
-@@ -773,7 +773,7 @@
- Specify a timeout for untrusted X11 forwarding
- using the format described in the
- TIME FORMATS section of
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- X11 connections received by
- .Xr ssh 1
- after this time will be refused.
-@@ -838,7 +838,7 @@
- These hashed names may be used normally by
- .Xr ssh 1
- and
--.Xr sshd 8 ,
-+.Xr sshd 1M ,
- but they do not reveal identifying information should the file's contents
- be disclosed.
- The default is
-@@ -1287,7 +1287,7 @@
- The command can be basically anything,
- and should read from its standard input and write to its standard output.
- It should eventually connect an
--.Xr sshd 8
-+.Xr sshd 1M
- server running on some machine, or execute
- .Ic sshd -i
- somewhere.
-@@ -1366,7 +1366,7 @@
- The optional second value is specified in seconds and may use any of the
- units documented in the
- TIME FORMATS section of
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- The default value for
- .Cm RekeyLimit
- is
-@@ -1409,7 +1409,7 @@
- will only succeed if the server's
- .Cm GatewayPorts
- option is enabled (see
--.Xr sshd_config 5 ) .
-+.Xr sshd_config 4 ) .
- .It Cm RequestTTY
- Specifies whether to request a pseudo-tty for the session.
- The argument may be one of:
-@@ -1474,7 +1474,7 @@
- Refer to
- .Cm AcceptEnv
- in
--.Xr sshd_config 5
-+.Xr sshd_config 4
- for how to configure the server.
- Variables are specified by name, which may contain wildcard characters.
- Multiple environment variables may be separated by whitespace or spread
-@@ -1662,7 +1662,7 @@
- and will be disabled if it is enabled.
- .Pp
- Presently, only
--.Xr sshd 8
-+.Xr sshd 1M
- from OpenSSH 6.8 and greater support the
- .Dq [email protected]
- protocol extension used to inform the client of all the server's hostkeys.
---- old/sshd.8 2016-03-09 10:04:48.000000000 -0800
-+++ new/sshd.8 2016-05-11 05:04:07.228783462 -0700
-@@ -35,7 +35,7 @@
- .\"
- .\" $OpenBSD: sshd.8,v 1.284 2016/02/17 07:38:19 jmc Exp $
- .Dd $Mdocdate: February 17 2016 $
--.Dt SSHD 8
-+.Dt SSHD 1M
- .Os
- .Sh NAME
- .Nm sshd
-@@ -77,7 +77,7 @@
- .Nm
- can be configured using command-line options or a configuration file
- (by default
--.Xr sshd_config 5 ) ;
-+.Xr sshd_config 4 ) ;
- command-line options override values specified in the
- configuration file.
- .Nm
-@@ -204,7 +204,7 @@
- This is useful for specifying options for which there is no separate
- command-line flag.
- For full details of the options, and their values, see
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- .It Fl p Ar port
- Specifies the port on which the server listens for connections
- (default 22).
-@@ -274,7 +274,7 @@
- though this can be changed via the
- .Cm Protocol
- option in
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- Protocol 1 should not be used
- and is only offered to support legacy devices.
- .Pp
-@@ -397,14 +397,14 @@
- See the
- .Cm PermitUserEnvironment
- option in
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- .It
- Changes to user's home directory.
- .It
- If
- .Pa ~/.ssh/rc
- exists and the
--.Xr sshd_config 5
-+.Xr sshd_config 4
- .Cm PermitUserRC
- option is set, runs it; else if
- .Pa /etc/ssh/sshrc
-@@ -551,7 +551,7 @@
- environment variable.
- Note that this option applies to shell, command or subsystem execution.
- Also note that this command may be superseded by either a
--.Xr sshd_config 5
-+.Xr sshd_config 4
- .Cm ForceCommand
- directive or a command embedded in a certificate.
- .It Cm environment="NAME=value"
-@@ -952,7 +952,7 @@
- Contains configuration data for
- .Nm sshd .
- The file format and configuration options are described in
--.Xr sshd_config 5 .
-+.Xr sshd_config 4 .
- .Pp
- .It Pa /etc/ssh/sshrc
- Similar to
-@@ -986,11 +986,12 @@
- .Xr ssh-keygen 1 ,
- .Xr ssh-keyscan 1 ,
- .Xr chroot 2 ,
-+.Xr hosts_access 5 ,
- .Xr login.conf 5 ,
--.Xr moduli 5 ,
--.Xr sshd_config 5 ,
--.Xr inetd 8 ,
--.Xr sftp-server 8
-+.Xr moduli 4 ,
-+.Xr sshd_config 4 ,
-+.Xr inetd 1M ,
-+.Xr sftp-server 1M
- .Sh AUTHORS
- OpenSSH is a derivative of the original and free
- ssh 1.2.12 release by Tatu Ylonen.
--- a/components/openssh/patches/014-disable_banner.patch Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/014-disable_banner.patch Wed Nov 16 12:17:49 2016 -0800
@@ -6,54 +6,54 @@
# In the future, if this feature is accepted by the upsteam in a later release,
# we will remove this patch when we upgrade to that release.
#
-diff -pur old/readconf.c new/readconf.c
---- old/readconf.c 2015-03-28 21:57:35.551727235 +0100
-+++ new/readconf.c 2015-03-28 22:06:01.694836272 +0100
-@@ -150,6 +150,9 @@ typedef enum {
+--- orig/readconf.c Mon Aug 15 15:45:25 2016
++++ new/readconf.c Mon Aug 15 15:53:23 2016
+@@ -163,6 +163,9 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
+#ifdef DISABLE_BANNER
-+ oDisableBanner,
++ oDisableBanner,
+#endif
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oUseRoaming,
+ oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-@@ -254,6 +257,9 @@ static struct {
+@@ -271,6 +274,9 @@
{ "controlmaster", oControlMaster },
{ "controlpersist", oControlPersist },
{ "hashknownhosts", oHashKnownHosts },
+#ifdef DISABLE_BANNER
-+ { "disablebanner", oDisableBanner },
++ { "disablebanner", oDisableBanner },
+#endif
+ { "include", oInclude },
{ "tunnel", oTunnel },
{ "tunneldevice", oTunnelDevice },
- { "localcommand", oLocalCommand },
-@@ -754,6 +760,17 @@ static const struct multistate multistat
+@@ -794,6 +800,18 @@
{ NULL, -1 }
};
++
+#ifdef DISABLE_BANNER
+static const struct multistate multistate_disablebanner[] = {
-+ { "true", SSH_DISABLEBANNER_YES },
-+ { "false", SSH_DISABLEBANNER_NO },
-+ { "yes", SSH_DISABLEBANNER_YES },
-+ { "no", SSH_DISABLEBANNER_NO },
-+ { "in-exec-mode", SSH_DISABLEBANNER_INEXECMODE },
-+ { NULL, -1 }
++ { "true", SSH_DISABLEBANNER_YES },
++ { "false", SSH_DISABLEBANNER_NO },
++ { "yes", SSH_DISABLEBANNER_YES },
++ { "no", SSH_DISABLEBANNER_NO },
++ { "in-exec-mode", SSH_DISABLEBANNER_INEXECMODE },
++ { NULL, -1 }
+};
+#endif
+
/*
* Processes a single option line as used in the configuration files. This
* only sets those values that have not already been set.
-@@ -1514,6 +1531,13 @@ parse_int:
- *charptr = xstrdup(arg);
- break;
+@@ -1657,6 +1675,13 @@
+ charptr = &options->identity_agent;
+ goto parse_string;
+#ifdef DISABLE_BANNER
-+ case oDisableBanner:
-+ intptr = &options->disable_banner;
++ case oDisableBanner:
++ intptr = &options->disable_banner;
+ multistate_ptr = multistate_disablebanner;
+ goto parse_multistate;
+#endif
@@ -61,32 +61,31 @@
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
-@@ -1684,6 +1708,9 @@ initialize_options(Options * options)
+@@ -1847,6 +1872,9 @@
options->ip_qos_bulk = -1;
options->request_tty = -1;
options->proxy_use_fdpass = -1;
+#ifdef DISABLE_BANNER
-+ options->disable_banner = -1;
++ options->disable_banner = -1;
+#endif
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
options->num_permitted_cnames = 0;
-@@ -1871,6 +1898,10 @@ fill_default_options(Options * options)
+@@ -2041,6 +2069,10 @@
options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
+#ifdef DISABLE_BANNER
-+ if (options->disable_banner == -1)
-+ options->disable_banner = 0;
++ if (options->disable_banner == -1)
++ options->disable_banner = 0;
+#endif
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->update_hostkeys == -1)
-diff -pur old/readconf.h new/readconf.h
---- old/readconf.h 2015-03-17 06:49:20.000000000 +0100
-+++ new/readconf.h 2015-03-28 21:57:35.684348892 +0100
-@@ -153,6 +153,9 @@ typedef struct {
- char *hostbased_key_types;
+--- orig/readconf.h Mon Aug 15 15:45:28 2016
++++ new/readconf.h Mon Aug 15 15:55:00 2016
+@@ -169,6 +169,9 @@
+ char *jump_extra;
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
+#ifdef DISABLE_BANNER
@@ -95,23 +94,22 @@
} Options;
#define SSH_CANONICALISE_NO 0
-@@ -178,6 +181,12 @@ typedef struct {
+@@ -195,6 +198,12 @@
#define SSH_UPDATE_HOSTKEYS_YES 1
#define SSH_UPDATE_HOSTKEYS_ASK 2
+#ifdef DISABLE_BANNER
-+#define SSH_DISABLEBANNER_NO 0
-+#define SSH_DISABLEBANNER_YES 1
-+#define SSH_DISABLEBANNER_INEXECMODE 2
++#define SSH_DISABLEBANNER_NO 0
++#define SSH_DISABLEBANNER_YES 1
++#define SSH_DISABLEBANNER_INEXECMODE 2
+#endif
+
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5 2015-03-28 21:57:35.544033907 +0100
-+++ new/ssh_config.5 2015-03-28 21:57:35.684635985 +0100
-@@ -566,6 +566,14 @@ If set to a time in seconds, or a time i
+--- orig/ssh_config.5 Mon Aug 15 15:45:37 2016
++++ new/ssh_config.5 Mon Aug 15 15:57:36 2016
+@@ -643,6 +643,14 @@
then the backgrounded master connection will automatically terminate
after it has remained idle (with no client connections) for the
specified time.
@@ -122,14 +120,13 @@
+.Pp
+The default value is no, which means that the banner is displayed unless the
+log level is QUIET, FATAL, or ERROR. See also the Banner option in
-+.Xr sshd_config 4 . This option applies to protocol version 2 only.
+++.Xr sshd_config 5 . This option applies to protocol version 2 only.
.It Cm DynamicForward
Specifies that a TCP port on the local machine be forwarded
over the secure channel, and the application
-diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c 2015-03-17 06:49:20.000000000 +0100
-+++ new/sshconnect2.c 2015-03-28 21:57:35.684940995 +0100
-@@ -81,6 +81,10 @@ extern char *client_version_string;
+--- orig/sshconnect2.c Mon Aug 15 15:45:44 2016
++++ new/sshconnect2.c Thu Aug 18 18:28:20 2016
+@@ -82,6 +82,10 @@
extern char *server_version_string;
extern Options options;
@@ -140,24 +137,24 @@
/*
* SSH2 key exchange
*/
-@@ -480,7 +484,20 @@ input_userauth_banner(int type, u_int32_
- debug3("input_userauth_banner");
- raw = packet_get_string(&len);
+@@ -502,7 +506,20 @@
+ debug3("%s", __func__);
+ msg = packet_get_string(&len);
lang = packet_get_string(NULL);
+
+#ifdef DISABLE_BANNER
-+ /*
-+ * Banner is a warning message according to RFC 4252. So, never print
-+ * a banner in error log level or lower. If the log level is higher,
-+ * use DisableBanner option to decide whether to display it or not.
-+ */
-+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO &&
++ /*
++ * Banner is a warning message according to RFC 4252. So, never print
++ * a banner in error log level or lower. If the log level is higher,
++ * use DisableBanner option to decide whether to display it or not.
++ */
++ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO &&
+ (options.disable_banner == SSH_DISABLEBANNER_NO ||
+ (options.disable_banner == SSH_DISABLEBANNER_INEXECMODE &&
-+ buffer_len(&command) == 0))) {
++ buffer_len(&command) == 0)))
+#else
- if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO)
+#endif
- if (len > 65536)
- len = 65536;
- msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+ fmprintf(stderr, "%s", msg);
+ free(msg);
+ free(lang);
--- a/components/openssh/patches/015-pam_conversation_fix.patch Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/015-pam_conversation_fix.patch Wed Nov 16 12:17:49 2016 -0800
@@ -4,9 +4,9 @@
# 2009, but it was not accepted by the upstream. For more information, see
# https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
#
---- orig/auth-pam.c Mon Oct 27 14:40:01 2014
-+++ new/auth-pam.c Tue Oct 28 12:40:59 2014
-@@ -1111,11 +1111,13 @@
+--- orig/auth-pam.c Mon Aug 15 16:16:17 2016
++++ new/auth-pam.c Mon Aug 15 16:26:40 2016
+@@ -1138,11 +1138,13 @@
free(env);
}
@@ -20,25 +20,25 @@
static int
sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
-@@ -1137,6 +1139,17 @@
+@@ -1164,6 +1166,17 @@
for (i = 0; i < n; ++i) {
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
case PAM_PROMPT_ECHO_OFF:
+#ifdef PAM_BUGFIX
+ /*
+ * PAM conversation function for the password userauth
-+ * method (non-interactive) really cannot do any
-+ * prompting. We set the PAM_AUTHTOK item in
++ * method (non-interactive) really cannot do any
++ * prompting. We set the PAM_AUTHTOK item in
+ * sshpam_auth_passwd()to avoid conversation. If some
-+ * modules still try to converse, then the password
-+ * userauth will fail.
-+ */
-+ goto fail;
++ * modules still try to converse, then the password
++ * userauth will fail.
++ */
++ goto fail;
+#else
if (sshpam_password == NULL)
goto fail;
if ((reply[i].resp = strdup(sshpam_password)) == NULL)
-@@ -1143,6 +1156,7 @@
+@@ -1170,6 +1183,7 @@
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
break;
@@ -46,7 +46,7 @@
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-@@ -1178,6 +1192,9 @@
+@@ -1205,6 +1219,9 @@
int
sshpam_auth_passwd(Authctxt *authctxt, const char *password)
{
@@ -55,35 +55,35 @@
+#endif
int flags = (options.permit_empty_passwd == 0 ?
PAM_DISALLOW_NULL_AUTHTOK : 0);
-
-@@ -1197,6 +1214,15 @@
+ char *fake = NULL;
+@@ -1225,6 +1242,15 @@
options.permit_root_login != PERMIT_YES))
- sshpam_password = badpw;
+ sshpam_password = fake = fake_password(password);
+#ifdef PAM_BUGFIX
-+ sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
-+ if (sshpam_err != PAM_SUCCESS) {
-+ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
-+ pam_strerror(sshpam_handle, sshpam_err));
-+ return 0;
-+ }
++ sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, sshpam_password);
++ if (sshpam_err != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, sshpam_err));
++ return 0;
++ }
+#endif
+
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
if (sshpam_err != PAM_SUCCESS)
-@@ -1205,6 +1231,16 @@
-
- sshpam_err = pam_authenticate(sshpam_handle, flags);
- sshpam_password = NULL;
+@@ -1236,6 +1262,16 @@
+ free(fake);
+ if (sshpam_err == PAM_MAXTRIES)
+ sshpam_set_maxtries_reached(1);
+
+#ifdef PAM_BUGFIX
+ set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
-+ if (set_item_rtn != PAM_SUCCESS) {
-+ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
-+ pam_strerror(sshpam_handle, set_item_rtn));
-+ return 0;
-+ }
++ if (set_item_rtn != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, set_item_rtn));
++ return 0;
++ }
+#endif
+
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
--- a/components/openssh/patches/023-gsskex.patch Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/023-gsskex.patch Wed Nov 16 12:17:49 2016 -0800
@@ -6,12 +6,24 @@
# Default value for GSSAPIKeyExchange changed to yes to match SunSSH behavior.
# New files kexgssc.c and kexgsss.c moved to ../sources/ and made cstyle clean.
#
+# Update Sep 5, 2016:
+# Upstream renamed and moved canohost.c`get_canonical_hostname to sshd-specific
+# auth.c`auth_get_canonical_hostname. In Solaris specific GSS-API key exchange
+# code we need this functionality on the client side too, for canonicalizing
+# server hostbased service principal. We have moved remote_hostname back to
+# canohost.c.
+#
+# TODO:
+# When we upgrade Kerberos in Solaris to future version 1.15, we will use
+# krb5_expand_hostname for hostname canonicalization instead.
+#
# Upstream rejected GSS-API key exchange several times before.
#
-diff -pur old/Makefile.in new/Makefile.in
---- old/Makefile.in
-+++ new/Makefile.in
-@@ -86,5 +86,6 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+diff -rupN old/Makefile.in new/Makefile.in
+--- old/Makefile.in 2016-09-21 19:40:34.495262333 -0700
++++ new/Makefile.in 2016-09-21 20:20:17.560532505 -0700
+@@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
+ kexgssc.o \
@@ -25,11 +37,114 @@
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- sftp-server.o sftp-common.o sftp_provider.o \
+ sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-diff -pur old/auth2-gss.c new/auth2-gss.c
---- old/auth2-gss.c
-+++ new/auth2-gss.c
+diff -rupN old/auth.c new/auth.c
+--- old/auth.c 2016-09-21 19:40:20.287164940 -0700
++++ new/auth.c 2016-09-21 19:25:47.928961550 -0700
+@@ -786,99 +786,6 @@ fakepw(void)
+ }
+
+ /*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+- struct sockaddr_storage from;
+- socklen_t fromlen;
+- struct addrinfo hints, *ai, *aitop;
+- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+- const char *ntop = ssh_remote_ipaddr(ssh);
+-
+- /* Get IP address of client. */
+- fromlen = sizeof(from);
+- memset(&from, 0, sizeof(from));
+- if (getpeername(ssh_packet_get_connection_in(ssh),
+- (struct sockaddr *)&from, &fromlen) < 0) {
+- debug("getpeername failed: %.100s", strerror(errno));
+- return strdup(ntop);
+- }
+-
+- ipv64_normalise_mapped(&from, &fromlen);
+- if (from.ss_family == AF_INET6)
+- fromlen = sizeof(struct sockaddr_in6);
+-
+- debug3("Trying to reverse map address %.100s.", ntop);
+- /* Map the IP address to a host name. */
+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+- NULL, 0, NI_NAMEREQD) != 0) {
+- /* Host name not found. Use ip address. */
+- return strdup(ntop);
+- }
+-
+- /*
+- * if reverse lookup result looks like a numeric hostname,
+- * someone is trying to trick us by PTR record like following:
+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+- hints.ai_flags = AI_NUMERICHOST;
+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+- name, ntop);
+- freeaddrinfo(ai);
+- return strdup(ntop);
+- }
+-
+- /* Names are stored in lowercase. */
+- lowercase(name);
+-
+- /*
+- * Map it back to an IP address and check that the given
+- * address actually is an address of this host. This is
+- * necessary because anyone with access to a name server can
+- * define arbitrary names for an IP address. Mapping from
+- * name to IP address can be trusted better (but can still be
+- * fooled if the intruder has access to the name server of
+- * the domain).
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_family = from.ss_family;
+- hints.ai_socktype = SOCK_STREAM;
+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+- logit("reverse mapping checking getaddrinfo for %.700s "
+- "[%s] failed.", name, ntop);
+- return strdup(ntop);
+- }
+- /* Look for the address from the list of addresses. */
+- for (ai = aitop; ai; ai = ai->ai_next) {
+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+- (strcmp(ntop, ntop2) == 0))
+- break;
+- }
+- freeaddrinfo(aitop);
+- /* If we reached the end of the list, the address was not there. */
+- if (ai == NULL) {
+- /* Address not found for the host name. */
+- logit("Address %.100s maps to %.600s, but this does not "
+- "map back to the address.", ntop, name);
+- return strdup(ntop);
+- }
+- return strdup(name);
+-}
+-
+-/*
+ * Return the canonical name of the host in the other side of the current
+ * connection. The host name is cached, so it is efficient to call this
+ * several times.
+diff -rupN old/auth2-gss.c new/auth2-gss.c
+--- old/auth2-gss.c 2016-09-21 19:40:20.290128383 -0700
++++ new/auth2-gss.c 2016-09-21 19:25:47.855250807 -0700
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
@@ -92,9 +207,9 @@
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
-diff -pur old/auth2.c new/auth2.c
---- old/auth2.c
-+++ new/auth2.c
+diff -rupN old/auth2.c new/auth2.c
+--- old/auth2.c 2016-09-21 19:40:20.293020496 -0700
++++ new/auth2.c 2016-09-21 19:25:47.497355321 -0700
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@@ -111,9 +226,123 @@
&method_gssapi,
#endif
&method_passwd,
-diff -pur old/gss-genr.c new/gss-genr.c
---- old/gss-genr.c
-+++ new/gss-genr.c
+diff -rupN old/canohost.c new/canohost.c
+--- old/canohost.c 2016-09-21 19:40:20.295936952 -0700
++++ new/canohost.c 2016-09-21 19:25:47.908930173 -0700
+@@ -202,3 +202,97 @@ get_local_port(int sock)
+ {
+ return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++/* Oracle Solaris - moved out of auth.c for use in GSSKEX in sshconnect2.c */
++char *
++remote_hostname(struct ssh *ssh)
++{
++ struct sockaddr_storage from;
++ socklen_t fromlen;
++ struct addrinfo hints, *ai, *aitop;
++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++ const char *ntop = ssh_remote_ipaddr(ssh);
++
++ /* Get IP address of client. */
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getpeername(ssh_packet_get_connection_in(ssh),
++ (struct sockaddr *)&from, &fromlen) < 0) {
++ debug("getpeername failed: %.100s", strerror(errno));
++ return strdup(ntop);
++ }
++
++ ipv64_normalise_mapped(&from, &fromlen);
++ if (from.ss_family == AF_INET6)
++ fromlen = sizeof(struct sockaddr_in6);
++
++ debug3("Trying to reverse map address %.100s.", ntop);
++ /* Map the IP address to a host name. */
++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++ NULL, 0, NI_NAMEREQD) != 0) {
++ /* Host name not found. Use ip address. */
++ return strdup(ntop);
++ }
++
++ /*
++ * if reverse lookup result looks like a numeric hostname,
++ * someone is trying to trick us by PTR record like following:
++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
++ hints.ai_flags = AI_NUMERICHOST;
++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++ name, ntop);
++ freeaddrinfo(ai);
++ return strdup(ntop);
++ }
++
++ /* Names are stored in lowercase. */
++ lowercase(name);
++
++ /*
++ * Map it back to an IP address and check that the given
++ * address actually is an address of this host. This is
++ * necessary because anyone with access to a name server can
++ * define arbitrary names for an IP address. Mapping from
++ * name to IP address can be trusted better (but can still be
++ * fooled if the intruder has access to the name server of
++ * the domain).
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = from.ss_family;
++ hints.ai_socktype = SOCK_STREAM;
++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++ logit("reverse mapping checking getaddrinfo for %.700s "
++ "[%s] failed.", name, ntop);
++ return strdup(ntop);
++ }
++ /* Look for the address from the list of addresses. */
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++ (strcmp(ntop, ntop2) == 0))
++ break;
++ }
++ freeaddrinfo(aitop);
++ /* If we reached the end of the list, the address was not there. */
++ if (ai == NULL) {
++ /* Address not found for the host name. */
++ logit("Address %.100s maps to %.600s, but this does not "
++ "map back to the address.", ntop, name);
++ return strdup(ntop);
++ }
++ return strdup(name);
++}
+diff -rupN old/canohost.h new/canohost.h
+--- old/canohost.h 2016-09-21 19:40:20.298804941 -0700
++++ new/canohost.h 2016-09-21 19:25:47.335129267 -0700
+@@ -21,6 +21,9 @@ char *get_local_ipaddr(int);
+ char *get_local_name(int);
+ int get_local_port(int);
+
++#include "packet.h"
++char *remote_hostname(struct ssh *);
++
+ #endif /* _CANOHOST_H */
+
+ void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
+diff -rupN old/gss-genr.c new/gss-genr.c
+--- old/gss-genr.c 2016-09-21 19:40:20.301650203 -0700
++++ new/gss-genr.c 2016-09-21 19:25:47.301737088 -0700
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
@@ -341,9 +570,9 @@
ssh_gssapi_delete_ctx(ctx);
return (!GSS_ERROR(major));
-diff -pur old/gss-serv.c new/gss-serv.c
---- old/gss-serv.c
-+++ new/gss-serv.c
+diff -rupN old/gss-serv.c new/gss-serv.c
+--- old/gss-serv.c 2016-09-21 19:40:20.304525100 -0700
++++ new/gss-serv.c 2016-09-21 19:25:47.229908522 -0700
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
@@ -416,10 +645,10 @@
-}
-
#endif
-diff -pur old/kex.c new/kex.c
---- old/kex.c
-+++ new/kex.c
-@@ -54,6 +54,10 @@
+diff -rupN old/kex.c new/kex.c
+--- old/kex.c 2016-09-21 19:40:20.307412118 -0700
++++ new/kex.c 2016-09-21 19:25:47.559276736 -0700
+@@ -55,6 +55,10 @@
#include "sshbuf.h"
#include "digest.h"
@@ -430,7 +659,7 @@
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
-@@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = {
+@@ -111,6 +115,11 @@ static const struct kexalg kexalgs[] = {
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
@@ -442,7 +671,7 @@
{ NULL, -1, -1, -1},
};
-@@ -138,7 +147,7 @@ kex_alg_by_name(const char *name)
+@@ -142,7 +151,7 @@ kex_alg_by_name(const char *name)
const struct kexalg *k;
for (k = kexalgs; k->name != NULL; k++) {
@@ -451,10 +680,10 @@
return k;
}
return NULL;
-diff -pur old/kex.h new/kex.h
---- old/kex.h
-+++ new/kex.h
-@@ -92,6 +92,9 @@ enum kex_exchange {
+diff -rupN old/kex.h new/kex.h
+--- old/kex.h 2016-09-21 19:40:20.310245128 -0700
++++ new/kex.h 2016-09-21 19:25:47.142516186 -0700
+@@ -98,6 +98,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
@@ -464,7 +693,7 @@
KEX_MAX
};
-@@ -140,6 +143,10 @@ struct kex {
+@@ -146,6 +149,10 @@ struct kex {
u_int flags;
int hash_alg;
int ec_nid;
@@ -475,7 +704,7 @@
char *client_version_string;
char *server_version_string;
char *failed_choice;
-@@ -189,6 +196,10 @@ int kexecdh_client(struct ssh *);
+@@ -195,6 +202,10 @@ int kexecdh_client(struct ssh *);
int kexecdh_server(struct ssh *);
int kexc25519_client(struct ssh *);
int kexc25519_server(struct ssh *);
@@ -484,12 +713,12 @@
+int kexgss_server(struct ssh *);
+#endif
- int kex_dh_hash(const char *, const char *,
+ int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-diff -pur old/monitor.c new/monitor.c
---- old/monitor.c
-+++ new/monitor.c
-@@ -159,6 +159,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
+diff -rupN old/monitor.c new/monitor.c
+--- old/monitor.c 2016-09-21 19:40:20.313190151 -0700
++++ new/monitor.c 2016-09-21 19:25:47.525137447 -0700
+@@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -497,7 +726,7 @@
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -243,11 +244,17 @@ struct mon_table mon_dispatch_proto20[]
+@@ -245,11 +246,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -515,7 +744,7 @@
#ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
-@@ -362,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -364,6 +371,10 @@ monitor_child_preauth(Authctxt *_authctx
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -526,7 +755,7 @@
} else {
mon_dispatch = mon_dispatch_proto15;
-@@ -501,6 +512,10 @@ monitor_child_postauth(struct monitor *p
+@@ -503,6 +514,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -537,7 +766,7 @@
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1924,6 +1939,13 @@ monitor_apply_keystate(struct monitor *p
+@@ -1939,6 +1954,13 @@ monitor_apply_keystate(struct monitor *p
# endif
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -551,7 +780,7 @@
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
-@@ -2023,6 +2045,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -2038,6 +2060,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@@ -561,7 +790,7 @@
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -2050,6 +2075,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2065,6 +2090,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -571,7 +800,7 @@
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2067,6 +2095,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2082,6 +2110,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -579,7 +808,7 @@
}
return (0);
}
-@@ -2078,6 +2107,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+@@ -2093,6 +2122,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@@ -589,7 +818,7 @@
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -2104,6 +2136,9 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2119,6 +2151,9 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@@ -599,7 +828,7 @@
authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
buffer_clear(m);
-@@ -2117,5 +2152,47 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2132,5 +2167,47 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -647,9 +876,9 @@
+
#endif /* GSSAPI */
-diff -pur old/monitor.h new/monitor.h
---- old/monitor.h
-+++ new/monitor.h
+diff -rupN old/monitor.h new/monitor.h
+--- old/monitor.h 2016-09-21 19:40:20.316049455 -0700
++++ new/monitor.h 2016-09-21 19:25:47.113344203 -0700
@@ -68,6 +68,9 @@ enum monitor_reqtype {
#ifdef PAM_ENHANCEMENT
MONITOR_REQ_AUTHMETHOD = 114,
@@ -660,10 +889,10 @@
};
struct mm_master;
-diff -pur old/monitor_wrap.c new/monitor_wrap.c
---- old/monitor_wrap.c
-+++ new/monitor_wrap.c
-@@ -1103,5 +1103,28 @@ mm_ssh_gssapi_userok(char *user)
+diff -rupN old/monitor_wrap.c new/monitor_wrap.c
+--- old/monitor_wrap.c 2016-09-21 19:40:20.318913737 -0700
++++ new/monitor_wrap.c 2016-09-21 19:25:47.668505812 -0700
+@@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
@@ -692,10 +921,10 @@
+
#endif /* GSSAPI */
-diff -pur old/monitor_wrap.h new/monitor_wrap.h
---- old/monitor_wrap.h
-+++ new/monitor_wrap.h
-@@ -60,6 +60,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
+diff -rupN old/monitor_wrap.h new/monitor_wrap.h
+--- old/monitor_wrap.h 2016-09-21 19:40:20.321783476 -0700
++++ new/monitor_wrap.h 2016-09-21 19:25:47.026452744 -0700
+@@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
int mm_ssh_gssapi_userok(char *user);
OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
@@ -703,10 +932,10 @@
#endif
#ifdef USE_PAM
-diff -pur old/readconf.c new/readconf.c
---- old/readconf.c
-+++ new/readconf.c
-@@ -148,6 +148,7 @@ typedef enum {
+diff -rupN old/readconf.c new/readconf.c
+--- old/readconf.c 2016-09-21 19:40:20.324827120 -0700
++++ new/readconf.c 2016-09-21 19:25:47.885753634 -0700
+@@ -160,6 +160,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -714,7 +943,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -199,11 +200,15 @@ static struct {
+@@ -211,11 +212,15 @@ static struct {
{ "gssauthentication", oGssAuthentication }, /* alias */
{ "gssapidelegatecredentials", oGssDelegateCreds },
{ "gssdelegatecreds", oGssDelegateCreds }, /* alias */
@@ -730,7 +959,7 @@
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -965,6 +970,10 @@ parse_time:
+@@ -1002,6 +1007,10 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -741,7 +970,7 @@
case oGssDelegateCreds:
intptr = &options->gss_deleg_creds;
goto parse_flag;
-@@ -1694,6 +1703,7 @@ initialize_options(Options * options)
+@@ -1824,6 +1833,7 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -749,7 +978,7 @@
options->gss_deleg_creds = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
-@@ -1834,6 +1844,12 @@ fill_default_options(Options * options)
+@@ -1979,6 +1989,12 @@ fill_default_options(Options * options)
#else
options->gss_authentication = 0;
#endif
@@ -762,9 +991,9 @@
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
if (options->password_authentication == -1)
-diff -pur old/readconf.h new/readconf.h
---- old/readconf.h
-+++ new/readconf.h
+diff -rupN old/readconf.h new/readconf.h
+--- old/readconf.h 2016-09-21 19:40:20.327689956 -0700
++++ new/readconf.h 2016-09-21 19:25:47.449284716 -0700
@@ -45,6 +45,7 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@@ -773,10 +1002,10 @@
int gss_deleg_creds; /* Delegate GSS credentials */
int password_authentication; /* Try password
* authentication. */
-diff -pur old/servconf.c new/servconf.c
---- old/servconf.c
-+++ new/servconf.c
-@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
+diff -rupN old/servconf.c new/servconf.c
+--- old/servconf.c 2016-09-21 19:40:20.330699306 -0700
++++ new/servconf.c 2016-09-21 19:25:47.054209571 -0700
+@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -797,7 +1026,7 @@
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
-@@ -449,6 +456,7 @@ typedef enum {
+@@ -457,6 +464,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -805,7 +1034,7 @@
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-@@ -526,6 +534,8 @@ static struct {
+@@ -534,6 +542,8 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssauthentication", sGssAuthentication, SSHCFG_ALL }, /* alias */
@@ -814,7 +1043,7 @@
#ifdef USE_GSS_STORE_CRED
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
#else /* USE_GSS_STORE_CRED */
-@@ -535,6 +545,8 @@ static struct {
+@@ -543,6 +553,8 @@ static struct {
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssauthentication", sUnsupported, SSHCFG_ALL }, /* alias */
@@ -823,7 +1052,7 @@
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
#endif
-@@ -1319,6 +1331,10 @@ process_server_config_line(ServerOptions
+@@ -1328,6 +1340,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@@ -834,7 +1063,7 @@
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-@@ -2373,6 +2389,7 @@ dump_config(ServerOptions *o)
+@@ -2416,6 +2432,7 @@ dump_config(ServerOptions *o)
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -842,9 +1071,9 @@
#ifndef USE_GSS_STORE_CRED
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
#endif /* !USE_GSS_STORE_CRED */
-diff -pur old/servconf.h new/servconf.h
---- old/servconf.h
-+++ new/servconf.h
+diff -rupN old/servconf.h new/servconf.h
+--- old/servconf.h 2016-09-21 19:40:20.333544958 -0700
++++ new/servconf.h 2016-09-21 19:25:47.739063955 -0700
@@ -122,6 +122,7 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
@@ -853,9 +1082,9 @@
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int password_authentication; /* If true, permit password
-diff -pur old/ssh-gss.h new/ssh-gss.h
---- old/ssh-gss.h
-+++ new/ssh-gss.h
+diff -rupN old/ssh-gss.h new/ssh-gss.h
+--- old/ssh-gss.h 2016-09-21 19:40:20.336386442 -0700
++++ new/ssh-gss.h 2016-09-21 19:25:47.600702960 -0700
@@ -61,6 +61,17 @@
#define SSH_GSS_OIDTYPE 0x06
@@ -903,9 +1132,9 @@
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5
-+++ new/ssh_config.5
+diff -rupN old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5 2016-09-21 19:40:20.339307715 -0700
++++ new/ssh_config.5 2016-09-21 19:25:47.188814608 -0700
@@ -834,6 +834,12 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default on Solaris is
@@ -919,10 +1148,10 @@
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
-diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c
-+++ new/sshconnect2.c
-@@ -164,11 +164,35 @@ ssh_kex2(char *host, struct sockaddr *ho
+diff -rupN old/sshconnect2.c new/sshconnect2.c
+--- old/sshconnect2.c 2016-09-21 19:40:20.342249196 -0700
++++ new/sshconnect2.c 2016-09-21 19:25:47.810679787 -0700
+@@ -165,11 +165,35 @@ ssh_kex2(char *host, struct sockaddr *ho
char *s;
struct kex *kex;
int r;
@@ -944,7 +1173,7 @@
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
-+ gss_host = (char *)get_canonical_hostname(1);
++ gss_host = (char *)remote_hostname(active_state);
+
+ gss = ssh_gssapi_client_mechanisms(gss_host);
+ if (gss) {
@@ -959,7 +1188,7 @@
fatal("%s: kex_names_cat", __func__);
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-@@ -199,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -196,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho
order_hostkeyalgs(host, hostaddr, port));
}
@@ -1020,7 +1249,7 @@
{"gssapi-with-mic",
userauth_gssapi,
NULL,
-@@ -678,7 +732,10 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -672,7 +726,10 @@ userauth_gssapi(Authctxt *authctxt)
* once. */
if (gss_supported == NULL)
@@ -1032,7 +1261,7 @@
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
-@@ -782,8 +839,8 @@ input_gssapi_response(int type, u_int32_
+@@ -776,8 +833,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@@ -1043,7 +1272,7 @@
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
-@@ -896,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p
+@@ -890,6 +947,48 @@ input_gssapi_error(int type, u_int32_t p
free(lang);
return 0;
}
@@ -1092,10 +1321,10 @@
#endif /* GSSAPI */
int
-diff -pur old/sshd.c new/sshd.c
---- old/sshd.c
-+++ new/sshd.c
-@@ -1833,10 +1833,13 @@ main(int ac, char **av)
+diff -rupN old/sshd.c new/sshd.c
+--- old/sshd.c 2016-09-21 19:40:20.345291027 -0700
++++ new/sshd.c 2016-09-21 19:25:47.376369649 -0700
+@@ -1892,10 +1892,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@@ -1109,7 +1338,7 @@
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
-@@ -2596,6 +2599,48 @@ do_ssh2_kex(void)
+@@ -2656,6 +2659,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
@@ -1158,7 +1387,7 @@
/* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
-@@ -2610,6 +2655,13 @@ do_ssh2_kex(void)
+@@ -2673,6 +2718,13 @@ do_ssh2_kex(void)
# endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -1172,10 +1401,10 @@
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
-diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5
-+++ new/sshd_config.5
-@@ -623,6 +623,11 @@ The default is
+diff -rupN old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5 2016-09-21 19:40:20.348225013 -0700
++++ new/sshd_config.5 2016-09-21 19:25:47.433470021 -0700
+@@ -632,6 +632,11 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default on Solaris is
.Dq yes .
@@ -1187,9 +1416,9 @@
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
-diff -pur old/sshkey.c new/sshkey.c
---- old/sshkey.c
-+++ new/sshkey.c
+diff -rupN old/sshkey.c new/sshkey.c
+--- old/sshkey.c 2016-09-21 19:40:20.351243462 -0700
++++ new/sshkey.c 2016-09-21 19:25:47.271519675 -0700
@@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
@@ -1198,9 +1427,9 @@
{ NULL, NULL, -1, -1, 0, 0 }
};
-diff -pur old/sshkey.h new/sshkey.h
---- old/sshkey.h
-+++ new/sshkey.h
+diff -rupN old/sshkey.h new/sshkey.h
+--- old/sshkey.h 2016-09-21 19:40:20.354147713 -0700
++++ new/sshkey.h 2016-09-21 19:25:47.934179627 -0700
@@ -62,6 +62,7 @@ enum sshkey_types {
KEY_DSA_CERT,
KEY_ECDSA_CERT,
--- a/components/openssh/patches/033-without_cast128.patch Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/033-without_cast128.patch Wed Nov 16 12:17:49 2016 -0800
@@ -12,26 +12,16 @@
# relevant ssh implementations also provide several more common encryption
# algorithms (aes256-ctr, aes128-cbc, ...) on top of cast128-cbc.
#
+# Update Aug 29, 2016:
+# This used to be implemented by Solaris specific macro WITHOUT_CAST,
+# but now upstream OPENSSL_NO_CAST is used instead. This patch now just
+# removes cast references from manpages.
+#
# This is a Solaris specific patch and it is not likely to be accepted upstream.
#
-diff -pur old/cipher.c new/cipher.c
---- old/cipher.c
-+++ new/cipher.c
-@@ -88,8 +88,10 @@ static const struct sshcipher ciphers[]
- { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
- { "blowfish-cbc",
- SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
-+#ifndef WITHOUT_CAST128
- { "cast128-cbc",
- SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
-+#endif
- { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
- { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
- { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5
-+++ new/ssh_config.5
-@@ -478,8 +478,6 @@ arcfour256
+--- orig/ssh_config.5 Mon Aug 15 17:22:20 2016
++++ new/ssh_config.5 Mon Aug 15 17:25:28 2016
+@@ -478,8 +478,6 @@
.It
blowfish-cbc
.It
@@ -40,10 +30,20 @@
[email protected]
.El
.Pp
-diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8
-+++ new/sshd.8
-@@ -307,7 +307,7 @@ For protocol 2,
+--- orig/sshd_config.5 Mon Aug 15 17:22:29 2016
++++ new/sshd_config.5 Mon Aug 15 17:25:58 2016
+@@ -479,8 +479,6 @@
+ .It
+ blowfish-cbc
+ .It
+-cast128-cbc
+-.It
+ [email protected]
+ .El
+ .Pp
+--- orig/sshd.8 Mon Aug 15 17:22:36 2016
++++ new/sshd.8 Mon Aug 15 17:26:48 2016
+@@ -307,7 +307,7 @@
forward security is provided through a Diffie-Hellman key agreement.
This key agreement results in a shared session key.
The rest of the session is encrypted using a symmetric cipher, currently
@@ -52,15 +52,3 @@
The client selects the encryption algorithm
to use from those offered by the server.
Additionally, session integrity is provided
-diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5
-+++ new/sshd_config.5
-@@ -472,8 +472,6 @@ arcfour256
- .It
- blowfish-cbc
- .It
--cast128-cbc
--.It
- [email protected]
- .El
- .Pp
--- a/components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch Wed Nov 16 12:17:49 2016 -0800
@@ -8,9 +8,10 @@
# In the future, if this fix is accepted by the upsteam in a later release, we
# will remove this patch when we upgrade to that release.
#
---- a/canohost.c Sun Oct 25 20:11:35 2015
-+++ b/canohost.c Sun Oct 25 20:11:57 2015
-@@ -113,6 +113,10 @@
+diff -pur old/canohost.c new/canohost.c
+--- old/canohost.c
++++ new/canohost.c
+@@ -274,6 +274,10 @@ remote_hostname(struct ssh *ssh)
memset(&hints, 0, sizeof(hints));
hints.ai_family = from.ss_family;
hints.ai_socktype = SOCK_STREAM;
@@ -20,10 +21,11 @@
+#endif /* AI_ADDRCONFIG */
if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
---- a/channels.c Sun Oct 25 19:30:33 2015
-+++ b/channels.c Sun Oct 25 19:54:36 2015
-@@ -2853,8 +2853,12 @@
+ "[%s] failed.", name, ntop);
+diff -pur old/channels.c new/channels.c
+--- old/channels.c
++++ new/channels.c
+@@ -2856,8 +2856,12 @@ channel_setup_fwd_listener_tcpip(int typ
*/
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
@@ -37,7 +39,7 @@
snprintf(strport, sizeof strport, "%d", fwd->listen_port);
if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
if (addr == NULL) {
-@@ -3736,6 +3740,10 @@
+@@ -3740,6 +3744,10 @@ connect_to(const char *name, int port, c
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM;
@@ -48,7 +50,7 @@
snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) {
error("connect_to %.100s: unknown host (%s)", name,
-@@ -3908,8 +3916,12 @@
+@@ -3912,8 +3920,12 @@ x11_create_display_inet(int x11_display_
port = 6000 + display_number;
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
@@ -62,7 +64,7 @@
snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
-@@ -4090,6 +4102,10 @@
+@@ -4094,6 +4106,10 @@ x11_connect_display(void)
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM;
@@ -73,72 +75,10 @@
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
error("%.100s: unknown host. (%s)", buf,
---- a/servconf.c Sun Oct 25 19:39:38 2015
-+++ b/servconf.c Sun Oct 25 19:45:16 2015
-@@ -722,6 +722,10 @@
- hints.ai_family = options->address_family;
- hints.ai_socktype = SOCK_STREAM;
- hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- snprintf(strport, sizeof strport, "%d", port);
- if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
- fatal("bad addr or host: %s (%s)",
---- a/ssh-keyscan.c Sun Oct 25 19:46:28 2015
-+++ b/ssh-keyscan.c Sun Oct 25 19:54:55 2015
-@@ -326,6 +326,10 @@
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = IPv4or6;
- hints.ai_socktype = SOCK_STREAM;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags = AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
- error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
- return -1;
---- a/ssh.c Sun Oct 25 19:49:46 2015
-+++ b/ssh.c Sun Oct 25 19:55:15 2015
-@@ -259,6 +259,10 @@
- hints.ai_socktype = SOCK_STREAM;
- if (cname != NULL)
- hints.ai_flags = AI_CANONNAME;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
- if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA))
- loglevel = SYSLOG_LEVEL_ERROR;
-@@ -298,6 +302,10 @@
- AF_UNSPEC : options.address_family;
- hints.ai_socktype = SOCK_STREAM;
- hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
- debug2("%s: could not resolve name %.100s as address: %s",
- __func__, name, ssh_gai_strerror(gaierr));
---- a/sshconnect.c Sun Oct 25 19:57:46 2015
-+++ b/sshconnect.c Sun Oct 25 19:58:19 2015
-@@ -292,6 +292,10 @@
- hints.ai_socktype = ai->ai_socktype;
- hints.ai_protocol = ai->ai_protocol;
- hints.ai_flags = AI_PASSIVE;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
- if (gaierr) {
- error("getaddrinfo: %s: %s", options.bind_address,
---- a/regress/netcat.c Sun Oct 25 19:59:44 2015
-+++ b/regress/netcat.c Sun Oct 25 20:07:05 2015
-@@ -371,6 +371,10 @@
+diff -pur old/regress/netcat.c new/regress/netcat.c
+--- old/regress/netcat.c
++++ new/regress/netcat.c
+@@ -334,6 +334,10 @@ main(int argc, char *argv[])
hints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
if (nflag)
hints.ai_flags |= AI_NUMERICHOST;
@@ -149,7 +89,7 @@
}
if (xflag) {
-@@ -399,6 +403,10 @@
+@@ -362,6 +366,10 @@ main(int argc, char *argv[])
proxyhints.ai_protocol = IPPROTO_TCP;
if (nflag)
proxyhints.ai_flags |= AI_NUMERICHOST;
@@ -160,7 +100,7 @@
}
if (lflag) {
-@@ -673,6 +681,10 @@
+@@ -636,6 +644,10 @@ remote_connect(const char *host, const c
ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
ahints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
ahints.ai_flags = AI_PASSIVE;
@@ -171,7 +111,7 @@
if ((error = getaddrinfo(sflag, pflag, &ahints, &ares)))
errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -1422,8 +1434,12 @@
+@@ -1385,8 +1397,12 @@ decode_addrport(const char *h, const cha
bzero(&hints, sizeof(hints));
hints.ai_family = v4only ? PF_INET : PF_UNSPEC;
@@ -185,3 +125,70 @@
r = getaddrinfo(h, p, &hints, &res);
/* Don't fatal when attempting to convert a numeric address */
if (r != 0) {
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
+@@ -735,6 +735,10 @@ add_one_listen_addr(ServerOptions *optio
+ hints.ai_family = options->address_family;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ snprintf(strport, sizeof strport, "%d", port);
+ if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
+ fatal("bad addr or host: %s (%s)",
+diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
+--- old/ssh-keyscan.c
++++ new/ssh-keyscan.c
+@@ -365,6 +365,10 @@ tcpconnect(char *host)
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = IPv4or6;
+ hints.ai_socktype = SOCK_STREAM;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags = AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
+ error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
+ return -1;
+diff -pur old/ssh.c new/ssh.c
+--- old/ssh.c
++++ new/ssh.c
+@@ -254,6 +254,10 @@ resolve_host(const char *name, int port,
+ hints.ai_socktype = SOCK_STREAM;
+ if (cname != NULL)
+ hints.ai_flags = AI_CANONNAME;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
+ if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA))
+ loglevel = SYSLOG_LEVEL_ERROR;
+@@ -293,6 +297,10 @@ resolve_addr(const char *name, int port,
+ AF_UNSPEC : options.address_family;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
+ debug2("%s: could not resolve name %.100s as address: %s",
+ __func__, name, ssh_gai_strerror(gaierr));
+diff -pur old/sshconnect.c new/sshconnect.c
+--- old/sshconnect.c
++++ new/sshconnect.c
+@@ -293,6 +293,10 @@ ssh_create_socket(int privileged, struct
+ hints.ai_socktype = ai->ai_socktype;
+ hints.ai_protocol = ai->ai_protocol;
+ hints.ai_flags = AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+ if (gaierr) {
+ error("getaddrinfo: %s: %s", options.bind_address,
--- a/components/openssh/patches/035-fips.patch Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/035-fips.patch Wed Nov 16 12:17:49 2016 -0800
@@ -45,7 +45,15 @@
diff -pur old/digest-openssl.c new/digest-openssl.c
--- old/digest-openssl.c
+++ new/digest-openssl.c
-@@ -53,8 +53,22 @@ struct ssh_digest {
+@@ -31,6 +31,7 @@
+ #include "sshbuf.h"
+ #include "digest.h"
+ #include "ssherr.h"
++#include "misc.h"
+
+ #ifndef HAVE_EVP_RIPEMD160
+ # define EVP_ripemd160 NULL
+@@ -53,8 +54,22 @@ struct ssh_digest {
const EVP_MD *(*mdfunc)(void);
};
@@ -68,7 +76,7 @@
{ SSH_DIGEST_MD5, "MD5", 16, EVP_md5 },
{ SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 },
{ SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 },
-@@ -67,6 +81,9 @@ const struct ssh_digest digests[] = {
+@@ -67,6 +82,9 @@ const struct ssh_digest digests[] = {
static const struct ssh_digest *
ssh_digest_by_alg(int alg)
{
@@ -78,7 +86,7 @@
if (alg < 0 || alg >= SSH_DIGEST_MAX)
return NULL;
if (digests[alg].id != alg) /* sanity */
-@@ -79,6 +96,9 @@ ssh_digest_by_alg(int alg)
+@@ -79,6 +97,9 @@ ssh_digest_by_alg(int alg)
int
ssh_digest_alg_by_name(const char *name)
{
@@ -91,7 +99,15 @@
diff -pur old/gss-genr.c new/gss-genr.c
--- old/gss-genr.c
+++ new/gss-genr.c
-@@ -100,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -44,6 +44,7 @@
+ #include "cipher.h"
+ #include "key.h"
+ #include "kex.h"
++#include "misc.h"
+ #include <openssl/evp.h>
+
+ #include "ssh-gss.h"
+@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
char deroid[2];
const EVP_MD *evp_md = EVP_md5();
EVP_MD_CTX md;
@@ -99,7 +115,7 @@
if (gss_enc2oid != NULL) {
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
-@@ -112,6 +113,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -112,6 +114,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
buffer_init(&buf);
@@ -114,7 +130,7 @@
oidpos = 0;
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
-@@ -119,7 +128,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -119,7 +129,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
deroid[0] = SSH_GSS_OIDTYPE;
deroid[1] = gss_supported->elements[i].length;
@@ -122,7 +138,7 @@
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, deroid, 2);
EVP_DigestUpdate(&md,
-@@ -151,6 +159,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -151,6 +160,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
oidpos++;
}
}
@@ -138,7 +154,7 @@
diff -pur old/kex.c new/kex.c
--- old/kex.c
+++ new/kex.c
-@@ -89,7 +89,40 @@ struct kexalg {
+@@ -90,7 +90,43 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@@ -149,7 +165,10 @@
+static const struct kexalg kexalgs_fips[] = {
+#ifdef WITH_OPENSSL
+ { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-+ { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
++ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
++ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+#ifdef HAVE_EVP_SHA256
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
@@ -178,7 +197,7 @@
+#endif
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
- { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
diff -pur old/mac.c new/mac.c
--- old/mac.c
+++ new/mac.c
@@ -219,7 +238,7 @@
diff -pur old/misc.c new/misc.c
--- old/misc.c
+++ new/misc.c
-@@ -39,12 +39,15 @@
+@@ -39,12 +39,16 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
@@ -231,11 +250,12 @@
#include <netinet/tcp.h>
+#include <openssl/crypto.h>
++#include <openssl/err.h>
+
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
-@@ -78,6 +81,60 @@ chop(char *s)
+@@ -78,6 +82,60 @@ chop(char *s)
}
@@ -299,7 +319,7 @@
diff -pur old/misc.h new/misc.h
--- old/misc.h
+++ new/misc.h
-@@ -38,6 +38,11 @@ struct ForwardOptions {
+@@ -40,6 +40,11 @@ struct ForwardOptions {
char *chop(char *);
char *strdelim(char **);
@@ -314,7 +334,7 @@
diff -pur old/myproposal.h new/myproposal.h
--- old/myproposal.h
+++ new/myproposal.h
-@@ -83,19 +83,31 @@
+@@ -88,21 +88,33 @@
# else
# define KEX_CURVE25519_METHODS ""
# endif
@@ -323,21 +343,23 @@
+#define KEX_COMMON_KEX_DFLT \
KEX_CURVE25519_METHODS \
KEX_ECDH_METHODS \
- KEX_SHA256_METHODS
+ KEX_SHA2_METHODS
-#define KEX_SERVER_KEX KEX_COMMON_KEX \
+#define KEX_SERVER_KEX_DFLT KEX_COMMON_KEX_DFLT \
+ KEX_SHA2_GROUP14 \
"diffie-hellman-group14-sha1" \
-#define KEX_CLIENT_KEX KEX_COMMON_KEX \
+#define KEX_CLIENT_KEX_DFLT KEX_COMMON_KEX_DFLT \
"diffie-hellman-group-exchange-sha1," \
+ KEX_SHA2_GROUP14 \
"diffie-hellman-group14-sha1"
-#define KEX_DEFAULT_PK_ALG \
+#define KEX_COMMON_KEX_FIPS \
+ KEX_ECDH_METHODS \
-+ KEX_SHA256_METHODS
++ KEX_SHA2_METHODS
+
+#define KEX_SERVER_KEX_FIPS KEX_COMMON_KEX_FIPS \
+ "diffie-hellman-group14-sha1" \
@@ -350,7 +372,7 @@
HOSTKEY_ECDSA_CERT_METHODS \
"[email protected]," \
"[email protected]," \
-@@ -105,17 +117,32 @@
+@@ -112,17 +124,32 @@
"rsa-sha2-256," \
"ssh-rsa"
@@ -386,7 +408,7 @@
"[email protected]," \
"[email protected]," \
"[email protected]," \
-@@ -127,7 +154,42 @@
+@@ -134,7 +161,42 @@
"hmac-sha2-512," \
"hmac-sha1"
@@ -473,7 +495,7 @@
diff -pur old/ssh-agent.c new/ssh-agent.c
--- old/ssh-agent.c
+++ new/ssh-agent.c
-@@ -1199,6 +1199,7 @@ main(int ac, char **av)
+@@ -1196,6 +1196,7 @@ main(int ac, char **av)
struct timeval *tvp = NULL;
size_t len;
mode_t prev_mask;
@@ -481,9 +503,9 @@
ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-@@ -1213,6 +1214,9 @@ main(int ac, char **av)
- prctl(PR_SET_DUMPABLE, 0);
- #endif
+@@ -1207,6 +1208,9 @@ main(int ac, char **av)
+
+ platform_disable_tracing(0); /* strict=no */
+#ifdef ENABLE_OPENSSL_FIPS
+ fips_err = ssh_FIPS_mode_set_if_capable();
@@ -491,7 +513,7 @@
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
#endif
-@@ -1343,8 +1347,19 @@ main(int ac, char **av)
+@@ -1337,8 +1341,19 @@ main(int ac, char **av)
printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
SSH_AUTHSOCKET_ENV_NAME);
printf("echo Agent pid %ld;\n", (long)parent_pid);
@@ -514,7 +536,7 @@
diff -pur old/ssh-keygen.1 new/ssh-keygen.1
--- old/ssh-keygen.1
+++ new/ssh-keygen.1
-@@ -283,6 +283,8 @@ and
+@@ -284,6 +284,8 @@ and
.Dq sha256 .
The default is
.Dq sha256 .
@@ -526,7 +548,7 @@
diff -pur old/ssh-keygen.c new/ssh-keygen.c
--- old/ssh-keygen.c
+++ new/ssh-keygen.c
-@@ -2267,11 +2267,18 @@ main(int argc, char **argv)
+@@ -2273,11 +2273,18 @@ main(int argc, char **argv)
__progname = ssh_get_progname(argv[0]);
@@ -576,7 +598,7 @@
diff -pur old/ssh.1 new/ssh.1
--- old/ssh.1
+++ new/ssh.1
-@@ -91,6 +91,9 @@ If
+@@ -92,6 +92,9 @@ If
is specified,
it is executed on the remote host instead of a login shell.
.Pp
@@ -589,7 +611,7 @@
diff -pur old/ssh.c new/ssh.c
--- old/ssh.c
+++ new/ssh.c
-@@ -606,6 +606,11 @@ main(int ac, char **av)
+@@ -609,6 +609,11 @@ main(int ac, char **av)
*/
initialize_options(&options);
@@ -601,7 +623,7 @@
/* Parse command-line arguments. */
host = NULL;
use_syslog = 0;
-@@ -1016,6 +1021,10 @@ main(int ac, char **av)
+@@ -1028,6 +1033,10 @@ main(int ac, char **av)
#endif
);
@@ -615,7 +637,7 @@
diff -pur old/ssh_api.c new/ssh_api.c
--- old/ssh_api.c
+++ new/ssh_api.c
-@@ -81,6 +81,10 @@ ssh_init(struct ssh **sshp, int is_serve
+@@ -79,6 +79,10 @@ ssh_init(struct ssh **sshp, int is_serve
int r;
if (!called) {
@@ -652,7 +674,7 @@
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
-@@ -1200,6 +1209,16 @@ [email protected],[email protected]
+@@ -1249,6 +1258,16 @@ [email protected],[email protected]
hmac-sha2-256,hmac-sha2-512,hmac-sha1
.Ed
.Pp
@@ -703,7 +725,7 @@
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
-@@ -430,10 +430,18 @@ sshd_exchange_identification(int sock_in
+@@ -431,10 +431,18 @@ sshd_exchange_identification(struct ssh
minor = PROTOCOL_MINOR_1;
}
@@ -722,7 +744,7 @@
/* Send our protocol version identification. */
if (atomicio(vwrite, sock_out, server_version_string,
-@@ -1503,6 +1511,10 @@ main(int ac, char **av)
+@@ -1562,6 +1570,10 @@ main(int ac, char **av)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@@ -733,7 +755,7 @@
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
-@@ -1653,6 +1665,10 @@ main(int ac, char **av)
+@@ -1712,6 +1724,10 @@ main(int ac, char **av)
SYSLOG_FACILITY_AUTH : options.log_facility,
log_stderr || !inetd_flag);
@@ -747,7 +769,7 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -482,6 +482,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
+@@ -489,6 +489,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
[email protected],[email protected]
.Ed
.Pp
@@ -761,7 +783,7 @@
The list of available ciphers may also be obtained using the
.Fl Q
option of
-@@ -576,6 +583,8 @@ and
+@@ -585,6 +592,8 @@ and
.Dq sha256 .
The default is
.Dq sha256 .
@@ -770,7 +792,7 @@
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,
-@@ -1025,6 +1034,16 @@ [email protected],[email protected]
+@@ -1034,6 +1043,16 @@ [email protected],[email protected]
hmac-sha2-256,hmac-sha2-512,hmac-sha1
.Ed
.Pp
--- a/components/openssh/patches/036-fipsrandom.patch Wed Nov 16 12:04:24 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,119 +0,0 @@
-#
-# Replace arc4random* calls with FIPS compliant implementation in FIPS mode.
-#
-# Once libc:arc4random* are FIPS compliant (20816957), this patch will be
-# dropped.
-#
-# This is a temporary patch and is not intented for upstream contribution.
-#
-diff -pur old/misc.c new/misc.c
---- old/misc.c
-+++ new/misc.c
-@@ -1164,3 +1164,87 @@ sock_set_v6only(int s)
- error("setsockopt IPV6_V6ONLY: %s", strerror(errno));
- #endif
- }
-+
-+#ifdef ENABLE_OPENSSL_FIPS
-+/* cancel arc4random* -> fips_arc4random* defines from misc.h */
-+#undef arc4random
-+#undef arc4random_buf
-+#undef arc4random_stir
-+#undef arc4random_uniform
-+
-+/* FIPS compliant alternative for arc4random */
-+static uint32_t
-+fips_arc4random_impl()
-+{
-+ unsigned int r = 0;
-+
-+ if (RAND_bytes((unsigned char *)&r, sizeof (r)) <= 0) {
-+ fatal("RAND_bytes() failed. Aborting the process");
-+ }
-+
-+ return (r);
-+}
-+
-+uint32_t
-+fips_arc4random()
-+{
-+ if (!ssh_FIPS_mode())
-+ return arc4random();
-+ else
-+ return fips_arc4random_impl();
-+}
-+
-+/* implementation taken from openbsd-compat/arc4random.c */
-+void
-+fips_arc4random_buf(void *_buf, size_t n)
-+{
-+ size_t i;
-+ uint32_t r = 0;
-+ char *buf = (char *)_buf;
-+
-+ if (!ssh_FIPS_mode())
-+ return arc4random_buf(_buf, n);
-+
-+ for (i = 0; i < n; i++) {
-+ if (i % 4 == 0)
-+ r = fips_arc4random_impl();
-+ buf[i] = r & 0xff;
-+ r >>= 8;
-+ }
-+ explicit_bzero(&r, sizeof(r));
-+}
-+
-+void
-+fips_arc4random_stir(void)
-+{
-+ if (!ssh_FIPS_mode())
-+ return arc4random_stir();
-+}
-+
-+/* implementation taken from openbsd-compat/arc4random.c */
-+uint32_t
-+fips_arc4random_uniform(uint32_t upper_bound)
-+{
-+ uint32_t r, min;
-+
-+ if (upper_bound < 2)
-+ return 0;
-+
-+ /* 2**32 % x == (2**32 - x) % x */
-+ min = -upper_bound % upper_bound;
-+
-+ /*
-+ * This could theoretically loop forever but each retry has
-+ * p > 0.5 (worst case, usually far better) of selecting a
-+ * number inside the range we need, so it should rarely need
-+ * to re-roll.
-+ */
-+ for (;;) {
-+ r = fips_arc4random_impl();
-+ if (r >= min)
-+ break;
-+ }
-+
-+ return r % upper_bound;
-+}
-+#endif /* ENABLE_OPENSSL_FIPS */
-diff -pur old/misc.h new/misc.h
---- old/misc.h
-+++ new/misc.h
-@@ -140,4 +140,16 @@ char *read_passphrase(const char *, int)
- int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
- int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
-
-+#ifdef ENABLE_OPENSSL_FIPS
-+/* arc4random* FIPS alternatives */
-+uint32_t fips_arc4random(void);
-+void fips_arc4random_buf(void *, size_t);
-+void fips_arc4random_stir(void);
-+uint32_t fips_arc4random_uniform(uint32_t upper_bound);
-+#define arc4random fips_arc4random
-+#define arc4random_buf fips_arc4random_buf
-+#define arc4random_stir fips_arc4random_stir
-+#define arc4random_uniform fips_arc4random_uniform
-+#endif /* ENABLE_OPENSSL_FIPS */
-+
- #endif /* _MISC_H */
--- a/components/openssh/patches/041-pam_ctx_preserve.patch Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/patches/041-pam_ctx_preserve.patch Wed Nov 16 12:17:49 2016 -0800
@@ -22,11 +22,10 @@
# Reported upstream:
# https://bugzilla.mindrot.org/show_bug.cgi?id=2548
#
-
diff -pur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c
+++ new/auth-pam.c
-@@ -97,6 +97,7 @@
+@@ -98,6 +98,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
@@ -34,7 +33,7 @@
extern ServerOptions options;
extern Buffer loginmsg;
-@@ -109,38 +110,26 @@ extern u_int utmp_len;
+@@ -110,38 +111,26 @@ extern u_int utmp_len;
#endif
/*
@@ -83,7 +82,7 @@
static mysig_t sshpam_oldsig;
static void
-@@ -149,78 +138,22 @@ sshpam_sigchld_handler(int sig)
+@@ -150,85 +139,25 @@ sshpam_sigchld_handler(int sig)
signal(SIGCHLD, SIG_DFL);
if (cleanup_ctxt == NULL)
return; /* handler called after PAM cleanup, shouldn't happen */
@@ -92,12 +91,16 @@
<= 0) {
- /* PAM thread has not exitted, privsep slave must have */
- kill(cleanup_ctxt->pam_thread, SIGTERM);
-- if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
+- while (waitpid(cleanup_ctxt->pam_thread,
+- &sshpam_thread_status, 0) == -1) {
+ /* callback child has not exited, privsep slave must have */
+ kill(cleanup_ctxt->pam_child, SIGTERM);
-+ if (waitpid(cleanup_ctxt->pam_child, &sshpam_child_status, 0)
- <= 0)
- return; /* could not wait */
++ while (waitpid(cleanup_ctxt->pam_child,
++ &sshpam_child_status, 0) == -1) {
+ if (errno == EINTR)
+ continue;
+ return;
+ }
}
- if (WIFSIGNALED(sshpam_thread_status) &&
- WTERMSIG(sshpam_thread_status) == SIGTERM)
@@ -158,7 +161,11 @@
- if (sshpam_thread_status != -1)
- return (sshpam_thread_status);
- signal(SIGCHLD, sshpam_oldsig);
-- waitpid(thread, &status, 0);
+- while (waitpid(thread, &status, 0) == -1) {
+- if (errno == EINTR)
+- continue;
+- fatal("%s: waitpid: %s", __func__, strerror(errno));
+- }
- return (status);
+ if (WIFSIGNALED(sshpam_child_status) &&
+ WTERMSIG(sshpam_child_status) == SIGTERM)
@@ -173,7 +180,7 @@
static pam_handle_t *sshpam_handle = NULL;
static int sshpam_err = 0;
-@@ -290,55 +223,11 @@ sshpam_password_change_required(int reqd
+@@ -298,55 +227,11 @@ sshpam_password_change_required(int reqd
}
}
@@ -231,7 +238,7 @@
struct pam_response **resp, void *data)
{
Buffer buffer;
-@@ -420,48 +309,84 @@ sshpam_thread_conv(int n, sshpam_const s
+@@ -411,48 +296,85 @@ sshpam_thread_conv(int n, sshpam_const s
}
/*
@@ -310,15 +317,15 @@
+ close(ctxt->pam_csock);
+ ctxt->pam_csock = -1;
+}
-+
+
+- sshpam_conv.conv = sshpam_thread_conv;
+int
+get_pam_done(void *ctxt)
+{
+ struct pam_ctxt *pctxt = (struct pam_ctxt *)ctxt;
+ return (pctxt->pam_done);
+}
-
-- sshpam_conv.conv = sshpam_thread_conv;
++
+/*
+ * Perform PAM authentication.
+ *
@@ -333,6 +340,7 @@
+ struct pam_conv sshpam_conv;
+ int flags = (options.permit_empty_passwd == 0 ?
+ PAM_DISALLOW_NULL_AUTHTOK : 0);
++ struct ssh *ssh = active_state; /* XXX */
+
+ sshpam_conv.conv = sshpam_child_conv;
sshpam_conv.appdata_ptr = ctxt;
@@ -346,7 +354,7 @@
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&sshpam_conv);
if (sshpam_err != PAM_SUCCESS)
-@@ -484,60 +409,34 @@ sshpam_thread(void *ctxtp)
+@@ -477,63 +399,35 @@ sshpam_thread(void *ctxtp)
}
}
@@ -385,6 +393,8 @@
- /* XXX - can't do much about an error here */
- if (sshpam_err == PAM_ACCT_EXPIRED)
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
+- else if (sshpam_maxtries_reached)
+- ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
- else
- ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
- buffer_free(&buffer);
@@ -396,7 +406,7 @@
+ pam_strerror(sshpam_handle, sshpam_err),
+ sshpam_authctxt->valid ? "" : "illegal user ",
+ sshpam_authctxt->user,
-+ get_remote_name_or_ip(utmp_len, options.use_dns));
++ auth_get_canonical_hostname(ssh, options.use_dns));
+ relieve_from_duty(ctxt);
}
@@ -413,6 +423,7 @@
- close(ctxt->pam_psock);
- close(ctxt->pam_csock);
- memset(ctxt, 0, sizeof(*ctxt));
+- cleanup_ctxt = NULL;
+ if (ctxt != NULL && ctxt->pam_child != 0) {
+ signal(SIGCHLD, sshpam_oldsig);
+ /* callback child should have had exited by now */
@@ -423,18 +434,19 @@
+ close(ctxt->pam_csock);
+ if (sshpam_child_status == -1)
+ waitpid(ctxt->pam_child, &sshpam_child_status, 0);
- cleanup_ctxt = NULL;
++ cleanup_ctxt = NULL;
}
}
-@@ -686,7 +585,6 @@ derive_pam_service_name(Authctxt *authct
+
+@@ -681,7 +575,6 @@ derive_pam_service_name(Authctxt *authct
static int
sshpam_init(Authctxt *authctxt)
{
- extern char *__progname;
const char *pam_rhost, *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
-
-@@ -792,6 +690,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+ struct ssh *ssh = active_state; /* XXX */
+@@ -788,6 +681,7 @@ sshpam_init_ctx(Authctxt *authctxt)
{
struct pam_ctxt *ctxt;
int socks[2];
@@ -442,7 +454,7 @@
debug3("PAM: %s entering", __func__);
/*
-@@ -809,7 +708,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -805,7 +699,7 @@ sshpam_init_ctx(Authctxt *authctxt)
ctxt = xcalloc(1, sizeof *ctxt);
@@ -451,7 +463,7 @@
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
free(ctxt);
-@@ -817,15 +716,29 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -813,15 +707,29 @@ sshpam_init_ctx(Authctxt *authctxt)
}
ctxt->pam_psock = socks[0];
ctxt->pam_csock = socks[1];
@@ -485,11 +497,10 @@
return (ctxt);
}
-@@ -839,8 +752,11 @@ sshpam_query(void *ctx, char **name, cha
+@@ -836,8 +744,10 @@ sshpam_query(void *ctx, char **name, cha
u_char type;
char *msg;
size_t len, mlen;
-+ struct ssh *ssh;
+ int r;
debug3("PAM: %s entering", __func__);
@@ -497,7 +508,7 @@
buffer_init(&buffer);
*name = xstrdup("");
*info = xstrdup("");
-@@ -848,6 +764,17 @@ sshpam_query(void *ctx, char **name, cha
+@@ -845,6 +755,17 @@ sshpam_query(void *ctx, char **name, cha
**prompts = NULL;
plen = 0;
*echo_on = xmalloc(sizeof(u_int));
@@ -515,7 +526,7 @@
while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
type = buffer_get_char(&buffer);
msg = buffer_get_string(&buffer, NULL);
-@@ -879,15 +806,6 @@ sshpam_query(void *ctx, char **name, cha
+@@ -880,15 +801,6 @@ sshpam_query(void *ctx, char **name, cha
/* FALLTHROUGH */
case PAM_AUTH_ERR:
debug3("PAM: %s", pam_strerror(sshpam_handle, type));
@@ -531,7 +542,7 @@
/* FALLTHROUGH */
case PAM_SUCCESS:
if (**prompts != NULL) {
-@@ -898,25 +816,21 @@ sshpam_query(void *ctx, char **name, cha
+@@ -899,25 +811,20 @@ sshpam_query(void *ctx, char **name, cha
free(**prompts);
**prompts = NULL;
}
@@ -553,16 +564,15 @@
+ buffer_put_cstring(&buffer, buffer_ptr(&loginmsg));
+ if (!use_privsep) {
+ /* sync packet state with parrent */
-+ ssh = active_state;
+ r = ssh_packet_get_state(ssh, &buffer);
+ if (r != 0)
+ fatal("%s: get_state failed: %s",
-+ __func__, ssh_err(r));
++ __func__, ssh_err(r));
}
- error("PAM: %s for %s%.100s from %.100s", msg,
- sshpam_authctxt->valid ? "" : "illegal user ",
- sshpam_authctxt->user,
-- get_remote_name_or_ip(utmp_len, options.use_dns));
+- auth_get_canonical_hostname(ssh, options.use_dns));
- /* FALLTHROUGH */
+ ssh_msg_send(ctxt->pam_psock, type, &buffer);
+ /* callback child ends here */
@@ -571,7 +581,7 @@
default:
*num = 0;
**echo_on = 0;
-@@ -970,7 +884,7 @@ sshpam_free_ctx(void *ctxtp)
+@@ -997,7 +904,7 @@ sshpam_free_ctx(void *ctxtp)
struct pam_ctxt *ctxt = ctxtp;
debug3("PAM: %s entering", __func__);
@@ -583,22 +593,20 @@
diff -pur old/auth-pam.h new/auth-pam.h
--- old/auth-pam.h
+++ new/auth-pam.h
-@@ -45,9 +45,10 @@ int do_pam_putenv(char *, char *);
+@@ -45,7 +45,8 @@ int do_pam_putenv(char *, char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
-void sshpam_thread_cleanup(void);
+void sshpam_child_cleanup(void);
++int get_pam_done(void *);
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
- int is_pam_session_open(void);
-+int get_pam_done(void *);
-
- #endif /* USE_PAM */
+ int sshpam_get_maxtries_reached(void);
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c
+++ new/monitor.c
-@@ -1179,12 +1179,38 @@ mm_answer_pam_init_ctx(int sock, Buffer
+@@ -1184,12 +1184,39 @@ mm_answer_pam_init_ctx(int sock, Buffer
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
sshpam_authok = NULL;
buffer_clear(m);
@@ -629,6 +637,7 @@
+ buffer_len(&loginmsg));
+ buffer_clear(&loginmsg);
+ }
++ buffer_put_int(m, sshpam_get_maxtries_reached());
+ buffer_put_int(m, 0); /* num */
+ mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
+ return (0);
@@ -637,7 +646,7 @@
mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
return (0);
}
-@@ -1938,7 +1964,8 @@ monitor_apply_keystate(struct monitor *p
+@@ -1947,7 +1974,8 @@ monitor_apply_keystate(struct monitor *p
int r;
debug3("%s: packet_set_state", __func__);
@@ -650,7 +659,7 @@
diff -pur old/packet.c new/packet.c
--- old/packet.c
+++ new/packet.c
-@@ -2345,7 +2345,7 @@ ssh_packet_restore_state(struct ssh *ssh
+@@ -2449,7 +2449,7 @@ ssh_packet_get_output(struct ssh *ssh)
}
/* Reset after_authentication and reset compression in post-auth privsep */
@@ -659,7 +668,7 @@
ssh_packet_set_postauth(struct ssh *ssh)
{
struct sshcomp *comp;
-@@ -2682,8 +2682,7 @@ ssh_packet_set_state(struct ssh *ssh, st
+@@ -2775,8 +2775,7 @@ ssh_packet_set_state(struct ssh *ssh, st
cipher_set_keycontext(&state->send_context, keyout);
cipher_set_keycontext(&state->receive_context, keyin);
@@ -672,18 +681,18 @@
diff -pur old/packet.h new/packet.h
--- old/packet.h
+++ new/packet.h
-@@ -141,6 +141,7 @@ u_int ssh_packet_get_maxsize(struct ssh
+@@ -144,6 +144,7 @@ u_int ssh_packet_get_maxsize(struct ssh
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
int ssh_packet_set_state(struct ssh *, struct sshbuf *);
+int ssh_packet_set_postauth(struct ssh *ssh);
const char *ssh_remote_ipaddr(struct ssh *);
-
+ int ssh_remote_port(struct ssh *);
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c
+++ new/servconf.c
-@@ -433,6 +433,18 @@ fill_default_server_options(ServerOption
+@@ -435,6 +435,18 @@ fill_default_server_options(ServerOption
options->compression = 0;
}
#endif
@@ -705,7 +714,7 @@
diff -pur old/session.c new/session.c
--- old/session.c
+++ new/session.c
-@@ -2850,7 +2850,7 @@ do_cleanup(Authctxt *authctxt)
+@@ -2890,7 +2890,7 @@ do_cleanup(Authctxt *authctxt)
#ifdef USE_PAM
if (options.use_pam) {
sshpam_cleanup();
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/046-73_solaris_build_issue.patch Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,31 @@
+#
+# Unbreak ./configure on Solaris.
+#
+# Patch source: upstream
+# https://marc.info/?l=openssh-unix-dev&m=147011381114561&w=2
+#
+--- orig/configure.ac Thu Aug 18 14:41:57 2016
++++ new/configure.ac Thu Aug 18 14:44:59 2016
+@@ -751,6 +751,9 @@
+ use_pie=auto
+ check_for_libcrypt_later=1
+ check_for_openpty_ctty_bug=1
++ dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
++ dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
++ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
+ AC_DEFINE([PAM_TTY_KLUDGE], [1],
+ [Work around problematic Linux PAM modules handling of PAM_TTY])
+ AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
+@@ -1790,11 +1793,8 @@
+ warn \
+ ])
+
+-dnl Wide character support. Linux man page says it needs _XOPEN_SOURCE.
+-saved_CFLAGS="$CFLAGS"
+-CFLAGS="$CFLAGS -D_XOPEN_SOURCE"
++dnl Wide character support.
+ AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
+-CFLAGS="$saved_CFLAGS"
+
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM(
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/047-login_grace_time_watchdog.patch Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,165 @@
+#
+# Implements watchdog process, which backs up login_grace_time alarm.
+#
+# If the main process is hung in a syscall, SIGALRM is queued but not
+# delivered and the connection stays unauthenticated for too long.
+#
+# Function start_grace_watchdog forks of a watchdog process, that sends the
+# main process a SIGTERM, if it does neither authenticate nor exit before
+# (login_grace_time + GRACE_WATCHDOG_THRESHOLD).
+# If the main process does not react to SIGTERM, SIGKILL is sent after
+# additional GRACE_WATCHDOG_THRESHOLD seconds.
+#
+# Patch source: in-house
+# Reported to [email protected] as security issue.
+#
+# Per agreement with upstream developers, filed:
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2615
+#
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
+@@ -252,9 +252,16 @@ Buffer loginmsg;
+ /* Unprivileged user */
+ struct passwd *privsep_pw = NULL;
+
++/* Pid of process backing up login_grace_time alarm. */
++pid_t grace_watchdog_pid = -1;
++
++/* Time in seconds */
++#define GRACE_WATCHDOG_THRESHOLD 10
++
+ /* Prototypes for various functions defined later in this file. */
+ void destroy_sensitive_data(void);
+ void demote_sensitive_data(void);
++static void stop_grace_watchdog(void);
+
+ #ifdef WITH_SSH1
+ static void do_ssh1_kex(void);
+@@ -369,12 +376,98 @@ grace_alarm_handler(int sig)
+ signal(SIGTERM, SIG_IGN);
+ kill(0, SIGTERM);
+ }
++ stop_grace_watchdog();
+
+ /* Log error and exit. */
+ sigdie("Timeout before authentication for %s port %d",
+ ssh_remote_ipaddr(active_state), ssh_remote_port(active_state));
+ }
+
++static inline void
++sleep_reliably(unsigned int seconds)
++{
++ while (seconds > 0)
++ seconds = sleep(seconds);
++}
++
++/*
++ * Implements watchdog process, which backs up login_grace_time alarm.
++ *
++ * If the main process is hung in a syscall, SIGALRM is queued but not
++ * delivered and the connection stays unauthenticated for too long.
++ *
++ * This function forks off a watchdog process, which sends the main process
++ * a SIGTERM, if it does neither authenticate nor exit before
++ * (login_grace_time + GRACE_WATCHDOG_THRESHOLD).
++ * If the main process does not react to SIGTERM, SIGKILL is sent after
++ * additional GRACE_WATCHDOG_THRESHOLD seconds.
++ */
++static void
++start_grace_watchdog(int login_grace_time)
++{
++ pid_t ppid = getpid();
++
++ if (login_grace_time == 0)
++ return;
++
++ if (grace_watchdog_pid != -1) {
++ error("login_grace_time watchdog process already running");
++ return;
++ }
++
++ grace_watchdog_pid = fork();
++ if (grace_watchdog_pid == -1)
++ fatal("fork of login_grace_time watchdog process failed");
++ else if (grace_watchdog_pid > 0)
++ return;
++
++ /* child */
++
++ /* close open fds, including client socket and startup_pipe */
++ closefrom(3);
++
++ /* kill the monitor with SIGTERM after timeout + threshold */
++ sleep_reliably(login_grace_time + GRACE_WATCHDOG_THRESHOLD);
++ if (getppid() != ppid) {
++ debug("login_grace_time watchdog still active, "
++ "but watched process %d already exited.", (int)ppid);
++ exit(0);
++ }
++ error("Timeout before authentication for %s. Killing process %d "
++ "with SIGTERM.", ssh_remote_ipaddr(active_state), (int)ppid);
++ kill(ppid, SIGTERM);
++
++ /* if neccessary, kill it with SIGKILL */
++ sleep_reliably(GRACE_WATCHDOG_THRESHOLD);
++ if (getppid() != ppid)
++ exit(0);
++ error("Watched process %d did not respond to SIGTERM. "
++ "Killing it with SIGKILL.", (int)ppid);
++ kill(ppid, SIGKILL);
++
++ /* give up */
++ sleep_reliably(GRACE_WATCHDOG_THRESHOLD);
++ if (getppid() == ppid) {
++ error("login_grace_time watchdog failed to kill %d", (int)ppid);
++ exit(255);
++ }
++ exit(0);
++}
++
++/* kill grace watchdog process */
++static void
++stop_grace_watchdog()
++{
++ if (grace_watchdog_pid == -1) {
++ debug3("login_grace_time watchdog process not running");
++ return;
++ }
++
++ kill(grace_watchdog_pid, SIGTERM);
++ grace_watchdog_pid = -1;
++}
++
++
+ /*
+ * Signal handler for the key regeneration alarm. Note that this
+ * alarm only occurs in the daemon waiting for connections, and it does not
+@@ -723,6 +816,7 @@ privsep_preauth(Authctxt *authctxt)
+ /* child */
+ close(pmonitor->m_sendfd);
+ close(pmonitor->m_log_recvfd);
++ grace_watchdog_pid = -1;
+
+ /* Arrange for logging to be sent to the monitor */
+ set_log_handler(mm_log_handler, pmonitor);
+@@ -2235,8 +2329,10 @@ main(int ac, char **av)
+ * are about to discover the bug.
+ */
+ signal(SIGALRM, grace_alarm_handler);
+- if (!debug_flag)
++ if (!debug_flag) {
+ alarm(options.login_grace_time);
++ start_grace_watchdog(options.login_grace_time);
++ }
+
+ sshd_exchange_identification(ssh, sock_in, sock_out);
+
+@@ -2302,6 +2398,7 @@ main(int ac, char **av)
+ */
+ alarm(0);
+ signal(SIGALRM, SIG_DFL);
++ stop_grace_watchdog();
+ authctxt->authenticated = 1;
+ if (startup_pipe != -1) {
+ close(startup_pipe);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/048-maxstartups-log_dropped.patch Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,24 @@
+#
+# When MaxStartups of unauthenticated concurrent connections is hit,
+# additional connections are dropped.
+#
+# Dropped connections should be logged. Server administrator should be able to
+# find this information and might be interested in details.
+#
+# Patch source: in-house
+# Offered upstream:
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2613
+#
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
+@@ -1419,7 +1419,8 @@ server_accept_loop(int *sock_in, int *so
+ continue;
+ }
+ if (drop_connection(startups) == 1) {
+- debug("drop connection #%d", startups);
++ logit("MaxStartups: dropping connection #%d",
++ startups);
+ close(*newsock);
+ continue;
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/049-kexinit_mem_exhaust.patch Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,21 @@
+#
+# Unregister the KEXINIT handler after message has been received.
+#
+# CVE-2016-8858
+#
+# Patch source: upstream
+# https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe
+#
+# We will drop this patch when upgrading to OpenSSH 7.4 or later.
+#
+diff -pur old/kex.c new/kex.c
+--- old/kex.c
++++ new/kex.c
+@@ -517,6 +517,7 @@ kex_input_kexinit(int type, u_int32_t se
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
--- a/components/openssh/sources/kexgssc.c Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/sources/kexgssc.c Wed Nov 16 12:17:49 2016 -0800
@@ -63,7 +63,6 @@
Gssctxt *ctxt;
OM_uint32 maj_status, min_status, ret_flags;
uint_t klen, kout, slen = 0, strlen;
- DH *dh;
BIGNUM *dh_server_pub = NULL;
BIGNUM *shared_secret = NULL;
BIGNUM *p = NULL;
@@ -284,7 +283,9 @@
switch (kex->kex_type) {
case KEX_GSS_GRP1_SHA1:
case KEX_GSS_GRP14_SHA1:
- kex_dh_hash(kex->client_version_string,
+ kex_dh_hash(
+ kex->hash_alg,
+ kex->client_version_string,
kex->server_version_string,
buffer_ptr(kex->my), buffer_len(kex->my),
buffer_ptr(kex->peer), buffer_len(kex->peer),
--- a/components/openssh/sources/kexgsss.c Wed Nov 16 12:04:24 2016 -0800
+++ b/components/openssh/sources/kexgsss.c Wed Nov 16 12:17:49 2016 -0800
@@ -76,7 +76,6 @@
Gssctxt *ctxt = NULL;
uint_t slen, klen, kout;
uchar_t *kbuf;
- DH *dh;
int min = -1, max = -1, nbits = -1;
BIGNUM *shared_secret = NULL;
BIGNUM *dh_client_pub = NULL;
@@ -236,6 +235,7 @@
case KEX_GSS_GRP1_SHA1:
case KEX_GSS_GRP14_SHA1:
kex_dh_hash(
+ kex->hash_alg,
kex->client_version_string, kex->server_version_string,
buffer_ptr(kex->peer), buffer_len(kex->peer),
buffer_ptr(kex->my), buffer_len(kex->my),
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-none Wed Nov 16 12:17:49 2016 -0800
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for the SSH user authentication type of 'none' which is
+# used when no authentication is required at all. This PAM fragment prevents
+# authentication using sshd-none to avoid unnecessary interaction with
+# failed logins tracking in certain SSH and PAM configurations. If SSH
+# logins are desired without any authentication then this is possible by
+# configuring both the sshd_config(5) options 'PasswordAuthentication' and
+# 'PermitEmptyPasswords' to be 'yes' and using either the 'password' or
+# 'keyboard-interactive' user authentication methods.
+#
+auth definitive pam_deny.so.1
+account definitive pam_deny.so.1
+session definitive pam_deny.so.1
+password definitive pam_deny.so.1